Wireshark-dev: Re: [Wireshark-dev] reassembling tcp streams to dissect netstrings
From: Sake Blok <[email protected]>
Date: Mon, 14 Feb 2011 12:48:21 +0100
On 14 feb 2011, at 11:59, Toni Ruottu wrote:

> I am writing a plugin to dissect a TCP stream of netstrings. Examples
> of netstrings would include 5:hello, and 0:, See
> http://cr.yp.to/proto/netstrings.txt for details. Method
> tcp_dissect_pdus takes length of the data as a parameter, which is not
> a problem for the payload part, but how do I reassemble the stream up
> to the first ":", so I can read the length information?

That's also done by tcp_dissect_pdus:

(from epan/dissectors/packet-tcp.h)
/*
 * Loop for dissecting PDUs within a TCP stream; assumes that a PDU
 * consists of a fixed-length chunk of data that contains enough information
 * to determine the length of the PDU, followed by rest of the PDU.
 *
 * The first three arguments are the arguments passed to the dissector
 * that calls this routine.
 *
 * "proto_desegment" is the dissector's flag controlling whether it should
 * desegment PDUs that cross TCP segment boundaries.
 *
 * "fixed_len" is the length of the fixed-length part of the PDU.
 *
 * "get_pdu_len()" is a routine called to get the length of the PDU from
 * the fixed-length part of the PDU; it's passed "pinfo", "tvb" and "offset".
 *
 * "dissect_pdu()" is the routine to dissect a PDU.
 */
extern void
tcp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
                 gboolean proto_desegment, guint fixed_len,
                 guint (*get_pdu_len)(packet_info *, tvbuff_t *, int),
                 dissector_t dissect_pdu);

In short, you need to tell tcp_dissect_pdus the minimum amount of bytes that are always available and will contain enough information to determine the length of a PDU.

In your case the length is in itself of variable length, which makes using tcp_dissect_pdus impossible. Unless you can make sure all lengths are noted with a fixed length string, like "00005:Hello" and "00000:" for PDU's with a maximum size of 99999. If this is not possible, then you will need to use pinfo struct as can be read in paragraph 2.7.2 of "doc/README.developer"

Hope this helps,
Cheers,


Sake