ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Index of multiple protocol frames in one packet?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Mon, 12 Oct 2015 12:50:05 -0400


2015-10-12 17:35 GMT+02:00 Jeff Morriss:
On 10/06/15 02:17, Pascal Quantin wrote:
2015-10-06 8:07 GMT+02:00 Petr Gotthard <petr.gotthard@xxxxxxxxxx
<mailto:petr.gotthard@xxxxxxxxxx <mailto:petr.gotthard@xxxxxxxxxx>>>:

     Hello,

     Is there a way to distinguish multiple frames of the same protocol
     in one TCP/IP packet? I have several small AMQP frames which all fit
     into a single IP frame, so they share a single packet_info
     structure.When I call p_add_proto_data() for the second AMQP frame,
     it (obviously) overwrites data stored for the first frame, so I need
     to distibguish between them somehow.

     Is there a counter that would tell me "this is a third AMQP frame in
     this pinfo"? I found packet_info->curr_layer_num, but this is useful
     for nested frames (like IP in IP). Is there something similar for
     groupped frames, please?


Hi Peter,

I'm not sure we have such counter, but
https://code.wireshark.org/review/#/c/10579/ suggested the use of
tvb_raw_offset as key for p_(add|get)_proto_data() functions which seems
a good tradeoff.


Actually there is such a counter in frame_data: subnum.  But it's not
widely used: for now it's only used in EPL, RRC, and UMTS_FP.

Thanks for the hint Jeff (I did not know this one).

It appears that frame_data.c is only setting it to 0, and that increment
need to be handled directly by dissectors. So it means that for a wider
usage, (tcp|udp)_dissect_pdus() function (among others) should be
modified so as to increment it when calling a new subdissector.


Agreed.

On 10/12/15 12:31, Anders Broman wrote:

Pinfo->curr_layer_numis supposed to handle it I think but the problem
may be to have the TCP/UDP/?/ Dissector call the same dissector again if
the complete tvb wasn�t used. If the dissector itself is looping over
the data it should probably use call_disector() or something rather than
do an internal loop.
I think curr_layer_num would only work for tunneling. It sounded like in this case he's got several PDUs at the same layer (e.g., 3 AMQP PDUs in a single TCP frame) in which case curr_layer_num would be the same for all 3 PDUs (whereas he wants a unique number for each of those 3 PDUs).
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube