ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] How do you access the reassembled TCP PDU in Lua?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Bill Meier" <wmeier@xxxxxxxxxxx>
Date: Sun, 12 Nov 2006 18:25:56 -0500
> 
> I am trying to write a tap for TDS packets in Lua and I am running into
> issues when the PDU is in multiple packets. Is there any way to access the
> reassembled TCP data?
> 
> If you turn off reassembly, the first payload byte of each frame is
> dissected as a tds.type parameter. If you turn on reassembly, the tap
> triggers on the last packet of the message and you can't access the earlier
> packets that contain the RPC name and such
> 
> 

I don't know the answer to your question (not yet having explored how 'taps' 
and LUA work). 

FWIW I would like to note the following:

The "defragmentation" code in packet-tds.c doesn't work well.
(Defragmentation has to do with re-asssembling a query/response which 
 consists of multiple netlib 'packets').
Defragmentation is controlled by the TDS option "Reassemble fragmented TDS 
messages..."
So: if you have large queries or response whose size exceeds the "network 
packet size" (Sybase terminology) then Wireshark currently doesn't re-
assemble them properly (in many cases).
I've been working on a fix which I should be able to submit in a  week or so.

AFAIK TDS 'desegmentation" (building a "TDS Buffer" (aka "Netlib Packet") 
from TCP segments works correctly. 



With respect to your previous EMail:

> the TDS dissector does not create fields with the RPC name or
> parameters. 

This might not be too difficult to implement. Which version of the TDS 
protocol are you decoding ?
(or: what (Sybase, Microsoft) Server on what (Linux, Unix, Windows) platform 
are you using ?

> Is anyone working on improving the tds dissector? It seems like freetds.org
> has all of the information needed to decode the parameters.

I've been doing some work in the background, but haven't had too much time 
lately.


(Your work on doing query response time analysis sounds good. Some number of 
years ago I wrote some fairly low-level code which takes raw sniffer capture 
files and extracts info as to queries (rpc name or proc name or sql, time) 
and query reponses (time).  Charts created from the data have helped me many 
times to identify problems involving apps using Sybase servers inefficiently.
It would be nice to eventually have a way to do this using data derived from 
Wireshark so that I can throw away my old code).


Bill Meier
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube