Wireshark-dev: Re: [Wireshark-dev] Reassembling fragmented messages
From: Marcel Haas <[email protected]>
Date: Mon, 30 Jan 2012 12:23:51 +0100
On Thu, 19 Jan 2012 17:53:57 -0200, Francesco Jacomel <[email protected]> wrote:
Hi,

I've just subscribe to this list to find some successful experience on
reassembling packets.
I'm trying to use the developers guide to help me on doing it, but I
had no success until this moment.

I'm creating a new dissector and for simple messages it works fine,
but nothing works neither when adding fragments in a hash table nor
when reassembling the packets.
Let me show the incoming packets, at first, to make the problem more
clear.

In the .log file -also created by myself-, I have the following:

The packet with the total size to be reassembled is this one

18:25:13.257

000000 00 0C 00 05 AA FF 00 00 8F                    
 .........

Where 00 0C 00 05 means:
01 - TX
0C - MY PROTOCOL
00 05 - 2 BYTES LENGTH

And A0 12 00 00 8F means:
AA - COMMAND CLASS
FF - INSTRUCTION
00 - DON'T CARE
00 - DON'T CARE
8F - THE TOTAL LENGTH OF THE BYTES TO BE RECEIVED BY THE ME.
fd->num;
frag_msg   = fragment_add_seq_check (tvb, 1, pinfo,
  nRXCounter,               // guint32 ID for fragments
belonging together - Is the same for the two parts of the message.
iso7816_fragment_table,   // list of message fragments
iso7816_reassembled_table,// list of reassembled messages 
nFrameCounter++,            // guint32 fragment sequence number
- static variable starting at 0 value, working fine.
tvb_reported_length(tvb), // guint32 fragment length
  !bGetNextRXFragment);      // More fragments? */
bGetNextRXFragment = TRUE;
nLastRXLength = nLastRXLength-(len-3);
 pinfo->fragmented = save_fragmented;

In the first RX received, it will add the tvb in the hash table, but
in the second, due to the bGetNextRXFragment = TRUE; it will call
the _FRAGMENT_ADD_SEQ_CHECK_ with the last parameter being FALSE,
what I understand is that I need to change it to FALSE when I know
that there is no more fragments, right?? 

There is any other parameter to pass/set in this function to signalize
that there are no more fragments and the message can be reassembled?

I tried to change everything, use another functions, but it doesn't
work and FRAG_MSG is NEVER a valid value, on the Wireshark I see only
it adding fragments forever. 
To check the answer for that, i have:

if (frag_msg) /* Reassembled */{ 

  col_append_str(pinfo->cinfo, COL_INFO,"REASSEMBLED");

  nFrameCounter = 0;

}

else /* Not last packet of reassembled Message */{
 col_append_fstr(pinfo->cinfo, COL_INFO,"(Message fragment # %u)",
nFrameCounter++);

}

if(new_tvb){
   col_append_fstr(pinfo->cinfo, COL_INFO,"new_tvb OK");

} else{
   col_append_fstr(pinfo->cinfo, COL_INFO,"* new_tvb NULL");

}

And what I see in the Wireshark is :
8 18:25:13.264000 MyProtocol Equipment PROT 118  (Message fragment #
0)* new_tvb NULL
9 18:25:13.265000 MyProtocol Equipment PROT 36  (Message fragment #
1)* new_tvb NULL

Does anyone know how can I check if I'm doing everything needed to
reassemble the fragments with no problems? I'm doing something wrong
but I could not find what.

Thanks in advance for you all.

-- 
Francesco Jacomel.
Hey Francesco ..
does your reassemble finally worked ?
if not ..
i dont know where u built it in ...i had problems with the check-function too.
i included my code before the IF(tree) and it finally worked..
Whats important is that u have to bulit it in when if(tree==0).. maybe the visit-Flag kann help you...
Regards Marcel