Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] TCP reassembling

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Andriy Beregovenko <jet@xxxxxxxxxxx>
Date: Fri, 9 Dec 2011 10:52:09 +0200
Hi fab12,

On Fri, Dec 09, 2011 at 08:25:12AM +0100, fab12@xxxxxxxxxxx wrote:
> Hello,
> 
> I am having problem using the tcp_dissect_pdus and hope someone can help
> me here.
> 
> The documentation seems pretty clear to me and I think I am doing what I
> am suppose to do:
> 
> 	tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 20,
>                     get_foo_message_len, dissect_foo_packet);
> 
> 
> static guint get_foo_message_len(packet_info *pinfo, tvbuff_t *tvb, int
> offset)
> {
> 	guint length;
> 	unsigned char lengthBytes[4];
> 
> 	tvb_memcpy(tvb, lengthBytes, offset+MPI_LENGTH_INDEX, MPI_LENGTH_SIZE/8);
> 	length = lengthBytes[0] + (lengthBytes[1]<<8) + (lengthBytes[2]<<16) +
> (lengthBytes[3]<<24) + MPI_HEADER_SIZE;
> 
>     return length;
> }

Try to use tvb_get_ntohl or tvb_get_htonl. AFAIA you wanna read some kind of
integer from raw data, am I right ?
 
> Unfortunaty when I open a capture file it is not working properly.
> When I attach to wireshark with a debugger I can see that the behavior is
> not the one I expect:
> 
> 1. The debugger stop to a first frame which contains the beginning of a
> large message.
> I can see that my get_foo_message_len is called and returns the length of
> the complete message.
> 2. Then wireshark the process the next frame which contains the remaining
> of the message. I can see it calls get_foo_message_len. Is this normal?
> I don't think so and if it is what am I suppose to do since I can't
> retrieve the size of the message the second time.
> 
> Best regards,
> Fabien
> 
> PS: Sorry if this is a duplicate. I tried to send the question already
> yesterday but I can't see it in my outbox so I guess I misclicked...
> 
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

-- 
Best regards,
Andriy
0xBDDBDAE3

Attachment: signature.asc
Description: Digital signature

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube