Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Help with desegmentation issue

From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Date: Wed, 16 Dec 2009 12:28:18 -0500
Title: RE: Help with desegmentation issue

As you’ve discovered, the TCP dissector won’t attempt to reassemble packets if the TCP checksum is invalid.  In the short-term, you may choose to disable TCP checksum validation to try to work around this.

 

Edit -> Preferences -> Protocols -> TCP -> Deselect “Validate the TCP checksum if possible”

 

In the long-term, maybe a change to the TCP dissector could be made to attempt reassembly even if the TCP checksum is bad, possibly through a new TCP preference allowing this?  I’m not sure how well that would work though, so I leave it as a question/topic of discussion for the TCP dissector author(s) and core developers.

 

- Chris

 

 

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Jarolin, Robert
Sent: Wednesday, December 16, 2009 8:24 AM
To: wireshark-dev@xxxxxxxxxxxxx
Subject: Re: [Wireshark-dev] Help with desegmentation issue

 

I discovered what the problem was with the dissection.
It turns out that "tcp_dissect_pdus" does not work properly if the packet(s) have "TCP CHECKSUM INCORRECT"

I took the data (4 packets) that had the data segmented and rebuilt the packet header data including the TCP header using text2pcap.

When I tried to dissect these packets (that now had proper TCP checksums), my dissector correctly desegmented the data.
I then edited the packets to just change the TCP checksum and tried again.  The packets can no longer be desegmented.

Any ideas what to do about this issue?

Thanks.

See my original message below:

vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv

 

I have a dissector that uses tcp_dissect_pdus that does not seem to be doing the job.  Please help.
I have a dump that contains 4 TCP packets that are all related to the same message (a total of 4428 bytes).
The first 3 packets are a length of 1460 bytes and the last 48 bytes => 1460 * 3 + 48 = 4428
When dissection takes place, the desegmentation does not seem to properly occur.

Under the TCP portion of the dissection it properly says:
  [PDU Size: 4428]
But the data available for dissection is only the size of the first packet (1460)

What I am doing wrong?  Thanks for any help.

Below are excerpts from my dissector:

#define FRAME_HEADER_LEN 4

static void
dissect_myproto_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
  /* Check that there's enough data */
  total_len = tvb_length(tvb);
  printf("Total_len = %u\n", total_len);  // THIS prints 1460
.
// Dissect my data
.
}

static guint
get_myproto_message_len(packet_info *pinfo, tvbuff_t *tvb, int offset)
{
  guint length = 0;

  // myproto message (length is 2 bytes starting at offset 0 * 4)
  length = (guint) ( tvb_get_ntohs( tvb, offset ) * 4 ); // Get the length

  printf("TOTAL of mesage = %u\n", length);  // This prints 4428
  return length;
}

 

/* Code to actually dissect the packets */
static void
dissect_myproto(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
  tcp_dissect_pdus(tvb, pinfo, tree, TRUE, FRAME_HEADER_LEN,
      get_myproto_message_len, dissect_myproto_message);
}


Confidentiality Notice: This e-mail (including any attachments) is intended only for the recipients named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not a named recipient, please notify the sender of that fact and delete the e-mail from your system.

CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.