Wireshark-dev: Re: [Wireshark-dev] behavior of tcp_dissect_pdus when protocol pdu is across tcp
From: didier <[email protected]>
Date: Tue, 25 Aug 2009 14:23:08 +0200
Hi,
Le lundi 24 août 2009 à 17:37 -0700, Guy Harris a écrit :
> On Aug 24, 2009, at 11:02 AM, Sudarshan Raghavan wrote:
> 
> > How do I make tcp_dissect_pdus work correctly with chunks across TCP  
> > segments.
> 
> Is it not working correctly now?  I've seen it work correctly for  
> other protocols, even with multiple messages within one TCP segment,  
> messages split across TCP segments, and messages split across TCP  
> segments with the last TCP segment having the end of one message  
> followed by other messages or the beginning of another message.

> 
> Note that "working correctly" does not mean "calling your dissector  
> with a non-zero offset", it means "calling your chunk dissector with a  
> completely reassembled RTMP chunk, even if the chunk is split across  
> TCP segment boundaries or if there are parts of more than one RTMP  
> chunk (or complete RTMP chunks) in a TCP segment".
>From previous Sudarshan mails I'm not sure it's his problem but
tcp_dissect_pdus only works well with RPC like protocols ie:
send request
wait reply
send request
...

because there's 'bubbles' in the TCP pipe odds that a PDU starts at the
TCP segment offset zero are good. It's important for finding the *first*
dissected PDU, after that it's ok.
 

Not so for 'stream' like protocols or if you have a lot of missing TCP
segments, something like :

desegment_foo(tvb, offset)

	marker_ofs = find_marker(tvb, offset); 
	if (marker_ofs) 
		add_idem("continuation");
	if (marker_ofs >= 0) 
		tcp_dissect_pdus(tvb, min_length, marker_ofs)

may help
Of course it doesn't deal with a marker across TCP but you get the idea.

You can do it in the get_pdu_len function, but it has other issues (like
when the actual length of the continuation is smaller than the min
length).
   
Didier