I'm working on a new dissector for a TCP-based protocol. I think I've got the dissector successfully handling fragmented packets (using tcp_dissect_pdus), and I think I've got the dissector successfully handling truncated packets ("packet size limited during capture") but what do I need to do for captures where both apply?
In other words, I have a .pcap where packet size is limited to 96 bytes. In this pcap, there is a protocol message which is fragmented across two TCP segments. So for this message I have bytes 1-42 (in the first TCP segment), then bytes 43-661 are lost due to truncation, then I have bytes 662-703 (in the second segment), and the remainder of the message is lost due to truncation of the second segment.
Given that the first segment correctly decodes (up until the truncation point) and reports a total message length of 844, I would expect the second segment to be recognized as part of the same message (and perhaps discarded since it's an isolated "middle" chunk of the message), but instead my dissector tries to treat the second segment as the beginning of a new protocol message, which of course reports numerous protocol warnings since it's not actually a message header. Is this a known limitation in Wireshark, or am I missing something in my dissector?
Thanks,
Glenn
