Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] TCP dissect issue when app-level message spans multiple TCP

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 5 May 2011 13:39:25 -0700
On May 5, 2011, at 1:06 PM, Chris Maynard wrote:

>   Note, however, that you must fill in column information, create
>   conversations, reassemble packets, build any other persistent state
>   needed for dissection, and call subdissectors regardless of whether
>   "tree" is NULL or not.  ...

I.e., there is *no* guarantee that, for all calls to the dissector for a TCP segment, pinfo->tcp_tree will be non-null.

If, for example, that's not the case in the first pass through the packets, when the capture file is being read, the behavior of TCP reassembly of the protocol will be incorrect, because the reassembly depends on *every* segment being handed to the dissector in order.

What should be done is:

void dissect_for_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
        tcp_dissect_pdus(tvb, pinfo, tree, TRUE, MESSAGE_HEADER_SIZE,
                         get_message_tcpmessage_len, dissect_message_tcpmessage);
}

and register that as the dissector for TCP and *ONLY* TCP, and have a separate dissector for UDP, and register that for UDP.

The two dissectors can possibly share common code; when running over UDP, is the one message per UDP datagram, with the messages looking exactly like the TCP messages?