Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Q about reassembly.

From: Christian Hopps <chopps@xxxxxxxxxx>
Date: Mon, 20 Jan 2020 16:33:45 -0500
So with IPTFS (https://tools.ietf.org/html/draft-ietf-ipsecme-iptfs-00) I've got basically a packet stream inside an IPsec/ESP datagram packet stream. I've built various data structures to track out of order etc fragments as I get called for dissecting each IPTFS payload. When there's a full packet fragment inside the current payload I simply create a subset tvbuff and call "call_dissector" on the packet data, and this works for the full fragments.

Also, I think the right thing to do is also associate the fragmented IP packet whose data ends in the current IPTFS payload with that IPTFS payload. So:

===========================  \
end of IP-A packet end frag  |
---------------------------  |
  IP-B packet (full frag)    + IPTFS payload A
---------------------------  |
start of IP-C packet frag    |
===========================  /

Then when I am dissecting "IPTFS payload A" I will associate "IP-A" and "IP-B" with the payload. "IP-C" will be associate with the Payload that has the final bytes for it (IP-C).

So that's all good. Now, what I am not sure how to do is how to tell wireshark about "IP-A". Currently I track the frame numbers that contain all the data for "IP-A", but I don't know what to do with those numbers. I imagined I could maybe walk through the frame numbers calling something which would invoke call_dissector with a user data arg to gather the entire packet contents together, doing this all from within the IPTFS payload A dissect routine, and then with that new data in-hand call_dissector for the ip protocol using this new data.

Perhaps I should just create a new data source tvb, storing that with the first fragment packet, and copy subsequent data I discover into that new data source, then when I get all the data, in the final fragment payload, use that new data source to invoke the call_dissector on the inner IP packet? I didn't like this route b/c it disassociates the data from the fragments they came from, but maybe that's what I have to do?

Or something totally different? :)

I can't just use a TCP-like reassembler b/c the packets are not guaranteed to be in order so asking for "one more packet" and getting the previous packets data doesn't make any sense for me.

Anyone have some pointers on how to tell wireshark to "dissect" an IP packet with a data source spread over multiple non-linear packet sources?

Thanks,
Chris.