Wireshark-dev: [Wireshark-dev] TCP dissect issue when app-level message spans multiple TCP pack
From: "Fernandez, Rafael" <[email protected]>
Date: Wed, 4 May 2011 17:19:44 -0500

I am writing a dissector plugin and I am using tcp_dissect_pdus in order to reassemble packets. However, I am experiencing issues when there are multiple application layer messages in one packet and the last one is not complete. Specifically, I have 5 messages in one TCP packet. There are 5 calls to the get_pdu_len function and four calls to the dissect_pdu function. Since there is not enough data in the current tvbuff_t, tcp_dissect_pdus returns. When dissect_message is called again, the beginning of the message is lost. When get_pdu_len gets called again it reads a garbage size.

Per https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.html, I thought that tcp_dissect_pdus is supposed to handle this. I can't find example code in any dissector in /epan/dissectors/* that handles this unlike I am. Am I missing something?

This is part of my code:

void dissect_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
        if(pinfo->tcp_tree != NULL) {
                tcp_dissect_pdus(tvb, pinfo, tree, TRUE, MESSAGE_HEADER_SIZE,
                                 get_message_tcpmessage_len, dissect_message_tcpmessage);
        else {
                // For UDP just print the data for now.
                call_dissector(data_handle, tvb, pinfo, tree);

guint get_message_tcpmessage_len(packet_info *pinfo, tvbuff_t *tvb, int offset)
        if(tvb_length_remaining(tvb, offset) <= 8)
                return 0;

        gint32 size = tvb_get_letohl(tvb, offset)+MESSAGE_HEADER_SIZE;
        gint32 type = tvb_get_letohl(tvb, offset+4);
        printf("Len: %u type %d\n", size, type);
        if(strcmp(typeAsString(type), "Unknown") == 0)
                return tvb_length_remaining(tvb, offset);
        return size;


Rafael Fernandez
131 South Dearborn Street, Chicago, Illinois 60603
T: 312-395-4224 | C: 312-485-4292
[email protected]


The contents of this message and any attachments may be confidential and proprietary and also may be covered by the Electronic Communications Privacy Act. This message is not intended to be used by, and should not be relied upon in any way, by any third party.  If you are not an intended recipient, please inform the sender of the transmission error and delete this message immediately without reading, disseminating, distributing or copying the contents. Citadel makes no assurances that this e-mail and any attachments are free of viruses and other harmful code.