Wireshark-dev: Re: [Wireshark-dev] TCP dissect issue when app-level message spans multiple TCP
From: Graham Bloice <[email protected]>
Date: Thu, 05 May 2011 17:15:15 +0100
On 05/05/2011 16:59, Fernandez, Rafael wrote:

I used to have a very simple get_message_tcpmessage_len. But most of the TCP packets would then say [TCP segment of a reassembled PDU].
I eliminated everything again. This is my current get_message_tcpmessage_len:

guint get_message_tcpmessage_len(packet_info *pinfo, tvbuff_t *tvb, int offset)
        guint remaining  = tvb_length_remaining(tvb, offset);
        guint last_size = tvb_get_letohl(tvb, offset)+MESSAGE_HEADER_SIZE;
        if(last_size > remaining)
                printf("not enough data: %d remaining: %d\n", last_size, remaining);
        return last_size;

I get the following output in consecutive packets from host A to host B:

not enough data: 322 remaining: 144
not enough data: 445080968 remaining: 1448

There are no 445080968 byte messages being sent, ever. It is that the dissector called by tcp_dissect_pdus gets a partial message. Clearly, it is not buffering the packets correctly. I *could* hack it together but I thought this is part of what tcp_dissect_pdus was supposed to do.
BTW - I am using and compiling against 1.4.6.

Thank you for your responses,

The types you are using to hold "remaining" and "last_size" might be an issue, tvb_length_remaining() returns a gint and tvb_get_letohl() returns a guint32.


Graham Bloice