Wireshark · Wireshark-dev: Re: [Wireshark-dev] Multiple Packets in One TCP Segment

[Susan Ditmore <sditmore@xxxxxxxxx>]

Hello again,

My protocol now dissects packets by modifying pinfo, but the problem is that I still can't get a seperate column for each packet.
Is there any way to do this?

Thank you.

2009/8/17 Aurélien Decagny <funtim78@xxxxxxxxxxx>

I think this is a stupid question, but anyway:
Why don't you get directly the length of your packet directly in the
dissect_sle function?

why not doing something like this:

#include <string.h>
#define LENGTH_LECT 10000

...

static int dissect_sle(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
            char buffer[3]="";
             int i=0, length =0;
             char data[]= NULL;

            data = "">
         /* so we put all the hexadecimal data in a string */
           for(i=0; i< (int) tvb_length(tvb); i++)
           {
               sprintf(buffer,"%02x", tvb_get_guint8(tvb, i));
               strcat(data, buffer);
           }

            /* length is a number of octets
               * we compare all the octet to see if we have the
terminating octet */
            while (data[2*i]!= ... && data[2*i+1]!=...)
              {
                  length ++;
               }

            tcp_dissect_pdus(tvb, pinfo, tree, ... length);

            free(data);
}

Or we can count the number of end character, and call the
tcp_dissect_pdus each time. Well in fact this work if the end of
character is forbidden in the data, or if we can only find him at the
end of a structure. In the second case, it is a little bit more complex,
but you can create a new tree each time in the dissect_sle_message()
function.

I should have say something stupid, but it seems to me that it can work!

Regards

Aurelien


wsgd a écrit :

> Look at <wireshark sources>/doc/README.developer.
> 2.7 Reassembly/desegmentation for protocols running atop TCP.
> 2.7.2 Modifying the pinfo struct.
>
>
> Olivier
>
>
> Guy Harris a écrit :
>
>> On Aug 17, 2009, at 11:22 AM, Aurélien Decagny wrote:
>>
>>
>>
>>> When you use tcp_dissect_pdus, an argument is the length of the data
>>> to be decoded.
>>>
>>>
>> Unfortunately, in her case, the length can't be determined except by
>> scanning the packet for a terminating character:
>>
>>
>>
>>> On Aug 14, 2009, at 1:56 PM, Susan Ditmore wrote:
>>>
>>>
>>>
>>>> I am developing a packet dissector plugin for Wireshark. The packets
>>>> I am dissecting do not specify their length in their header, but
>>>> they are terminated by a special character (and can be a variable
>>>> length). Additionally, multiple complete packets of the protocol may
>>>> arrive in one tcp segment. I would like to know how to tell
>>>> wireshark to divide up these packets. I understand there is a
>>>> command called tcp_dissect_pdus(), but I believe it needs the length
>>>> specified in the header. Is this correct?
>>>>
>>>>
>> so she can't use tcp_dissect_pdus().
>> ___________________________________________________________________________
>> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>>
>>
>>
>>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
>

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

-- 
"To categorize is human; to distribute, divine."