manu romu wrote:
I m on my way to finish my plugin but i've come across an unexpected
problem. Some of packets are carried on TCP and often happen to be split
over more TCP fragments. There was a length field in my header so I used
tcp_dissect_pdus () to do reassembling.
Yesterday I noticed that the total size of frags is almost always bigger
than the length declared in my proto header! That's why I get an
uncorrect reassembling.
Your get_pdu_len routine might be returning the wrong value.
Does the length field in your header contain the *total* length of the
packet, including the header? If so, you just use that value as the PDU
length returned by the get_pdu_len routine.
Or is it the length of the data *after* the header? If so, you add the
length of the header to the length of the data and return that in
get_pdu_len.
Note also that the PDUs are expected to be contiguous in the TCP data
stream:
+--------+-----------------+--------+------------...
| Header | Data... | Header | Data...
+--------+-----------------+--------+------------...
and the length value returned by your get_pdu_len routine is the length
of the header *plus* the length of the data.
I've read there's another way of carrying out reassembling, that is,
modyfing pinfo struct,
That's what tcp_dissect_pdus() does for you. You probably don't want to
do it yourself; it's easier to use tcp_dissect_pdus() than to reinvent
it....
but i don't know how to handle it properly. I'd
like to reassemble *ALL* TCP frags following my_proto packet *UNTIL*
another my_proto packet is sniffed.
What else is tehre in the TCP data stream other than my_proto packets?
(Hint: "data" is the wrong answer; you should treat the data as part of
the packet - see above.)