On Jul 21, 2014, at 1:46 PM, "John Dill" <John.Dill@xxxxxxxxxxxxxxxxx> wrote:
> I have a TCP message (that I reverse engineered) that contains blocks of the following type:
>
> -------------
> | Data Type | 4 bytes
> -------------
> | Payload Len | 4 bytes
> -------------
> | Checksum | 4 bytes
> -------------
> | Data | = Payload Len
> -------------
> (repeats)
>
> Since I did not know about the underlying structure, I used tcp_dissect_pdus with a TCP header length of 12 bytes to be able to read a single block.
>
> tcp_dissect_pdus(tvb, pinfo, tree, desegment_tcp_messages,
> TCP_PAYLOAD_HDR_LENGTH,
> get_tcp_pdu_len,
> dissect_tcp_pdu);
>
> I have discovered that in general, this application layer message can have multiple blocks
What do you mean by "this application layer message"?
If a "block" is
-------------
| Data Type | 4 bytes
-------------
| Payload Len | 4 bytes
-------------
| Checksum | 4 bytes
-------------
| Data | = Payload Len
-------------
then presumably there's some *other* header that indicates which blocks are part of a given application layer message, or a convention that an application layer message consists of a sequence of blocks all of the same data type (so that a change in the data type is an indication that one application layer message ended and another began), or something such as that.
Without knowing that, it will be impossible to do
Frame
Ethernet II
Internet Protocol Version 4
Transmission Control Protocol
Application Protocol
Block 1
Block 2
Block ...
Block N
because Wireshark won't be able to determine where one application layer message begins and another ends.
