On Oct 13, 2003, at 1:40 PM, Pierre JUHEN wrote:
I am writing a TCP dissector for a private protocol that uses TCP
desegmentation.
Using it, I found out that the TCP dissector labels "[IIlegal
segments]" segments where
the sender retransmits a frame that overlap the previous (lost) one,
but is longer.
Therefore, the TCP dissectors sets the FD_TOOLONGFRAGMENT and
FD_MULTIPLETAILS flags,
taht leads to the "[IIlegal segments]" message.
On a pure TCP standard point of view, this seems not being illegal.
It's not.
However:
Proposed patch for "reassemble.c"
--- reassemble.c.old 2003-08-29 03:54:53.000000000 +0200
+++ reassemble.c 2003-10-13 22:24:06.000000000 +0200
@@ -1582,12 +1582,11 @@
static gboolean
show_fragment_errs_in_col(fragment_data *fd_head, const fragment_items
*fit,
packet_info *pinfo)
{
- if (fd_head->flags & (FD_OVERLAPCONFLICT
- |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
+ if (fd_head->flags & (FD_OVERLAPCONFLICT) ) {
if (check_col(pinfo->cinfo, COL_INFO)) {
- col_add_fstr(pinfo->cinfo, COL_INFO,
+ col_append_fstr(pinfo->cinfo, COL_INFO,
"[Illegal %s]", fit->tag);
return TRUE;
}
}
it's probably best fixed in the code that *sets* the "overlap conflict"
flag; for reliable transport protocols such as TCP, an "overlap" is
probably a transport-layer retransmission rather than an error in the
transmission of fragments, and, at least for TCP, an overlap where the
fragments have different lengths is also probably a retransmission, not
an error.
The reassembly code needs some work to handle reliable transport
protocols such as OSI COTP, where the sequence number is a sequence
number in the connection, rather than a fragment sequence number; some
of that might also apply to TCP.