Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Follow TCP stream - FTP protocol Export Object

From: Pascal Quantin <pascal.quantin@xxxxxxxxx>
Date: Tue, 20 Jan 2015 13:29:39 +0100
2015-01-20 12:23 GMT+01:00 leonardocito@xxxxxxxxx <leonardocito@xxxxxxxxx>:

I am implementing object export for the FTP protocol ( File-> Export Object -> FTP...).


I need to identify the last packet in the FTP-DATA stream for calling the function tap_queue_packet and send the object to the gui for display.

The ideal solution would be to compare the sum of accrued payloads with the file size. However this information is not provided in the headers.

I have thought of two possible strategies, none of wich is optimal:

  1. use the dissector transfer speed and duration for estimanting the approximate file lenght; however thow would require matching the FTP-DATA conversation and the relevant 226 code response from the header and that is not so straight forward.
  2. use the same approach used in the follow TCP Stream command. However it seems that feature is heavily based on applyng a display filter and seems to dependant on the gui.
  3. If I could match each FTP packet to the TCP packet that transported, then I could do all the checks needed to establish if the connection is being closed. However I have not found a way to march FTP-DATA packets the relevant TCP packet.

What is the best way to proceed? Can somebody please help me?


Hi,

using conv->last_frame after first pass is not sufficient? I would have expected it to contain the frame number of the last packet belonging to the current conversation.
Assuming that you are using the master branch (Wireshark 1.99.X), the tcpinfo structure (that contains the TCP sequence number, next sequence number, ...) will be given in the data parameter of the dissector. To have access to it, you need to change the ftpdata dissector from dissector_t to new_dissector_t (by using new_register_dissector instead of register_dissector). If you are on a Wireshark version 1.12.X or earlier, I think the structure can be found in pinfo->private_data.

Regards,
Pascal.