Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] fragment reassembly

From: John Thacker <johnthacker@xxxxxxxxx>
Date: Thu, 7 Jul 2016 18:36:24 -0400

On Fri, Jun 24, 2016 at 4:54 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
On Jun 24, 2016, at 1:14 PM, John Thacker <johnthacker@xxxxxxxxx> wrote:

> I am implementing fragment reassembly of PPP Multilink (RFC 1990) and also implementing multiclass extension (RFC 2686). (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12548 https://code.wireshark.org/review/#/c/16044/)
> The protocol is unlike other protocols that do reassembly. Most protocols contain a sequence number that corresponds to the reassembled PDU, plus generally fragment numbers that indicate the position of the fragment within the reassembly and a flag that indicates when there are no more fragments expected. (There are some exceptions without fragment numbers; those have to assume that fragments are received in order and use fragment_add_seq_next().)
>
> PPP Multilink only has a single sequence number, plus flags that indicate whether something is the first or last (or both or neither) fragment of a PDU. There's no indicate of what the fragment number is within the sequence, other than "First" or "not first."

I.e., it's more like TCP, where the sequence number is a sequence number within a "connection".

I seem to remember that there are some other protocols that work that way.  There should probably be an additional set of reassembly APIs to handle that case.

Yes, I found a big list of protocols in Appendix A of RFC 4623 (PWE3 Fragmentation and Reassembly) that work this way, in addition to PPP MP. PWE3 MPLS (RFC 4385), L2TPv2 (RFC 2661), L2TPv3 (RFC 3931), ATM, and Frame Relay are all claimed to use this style of fragmentation. It looks like, just as with PPP MP, Wireshark reads the flags and sequence number but doesn't attempt reassembly.

I submitted a new changeset taking a an approach of adding reassembly APIs. It's fairly large, so I've been testing for a while on various corner cases (missing packets, strange order of arrival, etc.)