Ethereal-dev: Re: [Ethereal-dev] Newbie questions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Nils Henrik Lorentzen <nlorentz@xxxxxxxxx>
Date: Wed, 19 Sep 2001 10:06:01 +0200
On Tuesday 18 September 2001 20:23, you wrote:
> > My question is: Is it possible to hardcode this 500 byte limit to
> > something slightly larger ?
>
> No, because there *is* no such hardcoded limit to raise.
>
> If you're getting no TCP messages larger than 500 bytes, it's not
> because any piece of Ethereal imposes such a limit.  After you remove
> the 14-byte Ethernet header, the 20-byte minimum IP header, and the
> 20-byte minimum TCP header from a 1514-byte Ethernet packet, you get
> 1460 bytes of TCP payload - and I have captures where Ethereal does, in
> fact, see 1460 bytes of TCP payload.

OK, I see.
Really strange though, that I could not get more than 500 bytes of payload
in a frame. These long messages are sent by my program running atop
of Linux 2.4.2 using a single write() call.
Maybe the kernel chops them into pieces before
sending them for some reason.

> Ethereal 0.8.19 will not reassemble higher-level PDUs that cross TCP
> segment boundaries, so if an SCCP message crosses a TCP segment boundary
> (whether it's bigger than a TCP segment or not; higher-level PDUs can
> cross TCP segment boundaries even if they'd fit in a maximum-size TCP
> segment) you will only see part of it.
>
> The current version of Ethereal in CVS, however, does include code that
> allows a dissector for a protocol running atop TCP to request
> reassembly of higher-level PDUs, as long as
>
> 	1) the length of the PDU is specified at the beginning of the
> 	   PDU
>
> and
>
> 	2) the field or fields specifying the length aren't themselves
> 	   split across TCP segments.

I think this will hold in every case for SCCP, as the size
is the first four  bytes in the PDU (unless the PDU is split inside
the first four bytes, but that is probably very unlikely).

> See, for example, the NetBIOS Session Service dissector (in
> "packet-nbns.c", for historical reasons), the ONC RPC-over-TCP dissector
> (in "packet-rpc.c"), and the DNS dissector (in "packet-dns.c").
>
> > If I could for example raise it to 750, then I would get
> > all sccp messages unfragmented, and they would display nicely.
> > Or is this limited by the  MTU size or something like that ?
>
> It may be limited by the MTU.  There's no hard-coded 500-byte limit in
> Ethereal.

OK, many thanks for your info !
I'll use the ethereal from CVS, and try to do the reassembly thing then.

Nils Henrik