Hi,
I'am writing dissector for protocol over TCP stream which can emit more
than one packet per real TCP frame. For example lets assume that we have
ethernet tunnel over TCP stream, and one TCP frame of length 15000 bytes
(assume the capture with TSO on) can contain five or ten embedded
ethernet packets. So I can successfully dissect this stream, can write
info about each packet to frame tree. But it is not possible to indicate
such packet in frame list. And another case when I try to sub dissect
emitted packets by ethernet dissector the system goes crazy and breaks
TCP reassemble functionality.
What is a proper way to write such dissector? How can I indicate new
frames to frame list? How not to break TCP reassemble functionality when
subdissecting nested packets?
The best approach I have found is to dump the emitted packets to another
pcap file on dissection and then load it to wireshark. But this is a
hard way.
Best regards,
--
Andrew Rukavishnikov
