Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] [Help_Wireshark] difference between fragmentation reassembly

From: Pascal Quantin <pascal.quantin@xxxxxxxxx>
Date: Wed, 5 Jul 2017 07:22:10 +0200


Le 5 juil. 2017 07:16, "hhw hhw" <hhw.hhw7@xxxxxxxxx> a écrit :
according to answer of this question ( https://ask.wireshark.org/questions/61818/how-to-reassemble-fragments-in-a-dissector-by-fragment_add_seq_check-function ), I need to use fragment_add_check(), but if i use fragment_add_check function packets 1,2,3 reassembled incorrectly and hf_msg_fragment_overlap fields is true, and packets 4,5,6 aren't reassembled.

It's up to you: either you follow my explanation of why your reassembly fails and you modify your code accordingly (and it will work) or you continue not listening to advices.
In my first reply I told you how to use fragment_add_check (I got it working with the sample you posted on ask site) and why you should probably avoid it.


On Wed, Jul 5, 2017 at 9:39 AM, hhw hhw <hhw.hhw7@xxxxxxxxx> wrote:
stopped using morefrag because i want to show start and end of a reassembling process.   and my messages always dont have up to 3 fragments.

On Wed, Jul 5, 2017 at 9:36 AM, Pascal Quantin <pascal.quantin@xxxxxxxxx> wrote:
[once more, please keep wireshark-bugs mailing list in copy, thanks]


Le 5 juil. 2017 06:41, "hhw hhw" <hhw.hhw7@xxxxxxxxx> a écrit :
hi pascal. thank you very very... much.
i shall change my dissector code. Now, my packets are like :
packet nb  sequence id    sequence number  message type  
1          16             0                0 Begin              
2          16             1                1 Continue               
3          16             2                2 End (more_frag=FALSE)
----------------------------------------------------------------------             
4          5              11               0 Begin               
5          5              12               1 Continue         
6          5              13               2 End  (more_frag=FALSE) 
-----------------------------------------------------------------------   
7          16             20               0 Begin              
8          16             21               1 Continue               
9          16             22               2 End (more_frag=FALSE)      

i use messagetype instead of morefrag. When messagetype=2 it means more_frag=FALSE and  this should complete reassembly.but i have problem, and packets 4,5,6 and packets 7,8,9  aren't reassembled.
my fragment may start at any sequence number (zero or non zero) . if an END message has been received a sequence id can assaign to another groups of packets( like id =16) .can you HELP me?

As I already explained in my previous message, the reassembly API expects the frag_number parameter to start from 0 for the first fragment of a given message and increase by 1 for each new fragment of the same message. If you apply this rule it will just work.
I don't know why you stopped using morefrag (which was perfectly fine) but if your messages always have up to 3 fragments you could use the message type as frag_number. If you can have several Continue packets for the same message, then you need to find another way to provide the frag_number parameter.

Best regards,
Pascal.