Ethereal-dev: Re: [Ethereal-dev] Allow subdissector reassemble TCP fragments...

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "fabio matturro" <fabiomax3@xxxxxxxxxxx>
Date: Thu, 20 Apr 2006 12:03:45 +0200


fabio matturro wrote:


To reassemble desegmented TCP packets  I set  'Allow subdissector
reassemble...'
To reassemble my_proto frags I set 'Reassemble my proto packets' in my_proto Prefererences.
...and either manually setting pinfo->desegment_offset and pinfo->desegment_len, or letting a routine such as tcp_dissect_pdus(), presumably.
With TCP, you do *NOT* do desegmentation the same way you do with other protocols, because TCP doesn't honor higher-level packet boundaries - it doesn't know anything about packet boundaries, it just supplies a byte stream service. 

You don't do the desegmentation yourself.  You let the TCP dissector do it.
I don't do desegmentation myself, actually. I use tcp_dissect_pdus() and it works. 
I've enclosed a couple of screenshots.
As you can see in Screenshot1 the highlighted packet (frame n.107) is a PVM packet split over two TCP segments(frame 107 and frame 109). Let's use '[n,m, ...]' to mean a PVM packet split over TCP segments at frames n and m and ...
1) Does the tvbuff at frame 107, for example, contain *also* the rest of payload desegmented in frame 109 *even* if the "[Unreassembled Packet]" tag on the Info Columun suggests me it does not?
Now,[107,109] PVM packet is the *last* PVM fragment (look at the EOM flag in the detailed display) of a PVM message. So,
... + [89,91,93] + [95, 97, 99] + [101,103,105] + [107,109] are ALL fragments to be reassembled at the application level into a single PVM message.
Therefore, *first* I reassemble TCP segments into PVM fragments, *then* I reassemble PVM fragments into a PVM message. To carry out this 'application-level' reassembling I use the reassemble.c routines. That's what I do for the UDP case, at least, and for UDP case I have no problems. For the TCP case it does not work. In fact, being [107,109] the *last* PVM fragment I'd expect the PVM message to be reassembled here but It doesn't.
Then, I set the 'Allow subdissector to reassemble TCP streams' and the result is shown in Screenshot 2. The Info Column tells me the payload's length is 21756 bytes (which is, actually, the sum of all the PVM frag payloads) *but*, as you can see in the Detailed display, I still get the 'old' packet and, more importantly, I don't get the "Reassembled PVM" tab but just the "Reassembled TCP" tab. 

As you can see, I'm a bit in trouble : )

Fabio

_________________________________________________________________
Blocca le pop-up pubblicitarie con MSN Toolbar! http://toolbar.msn.it/

Attachment: Screenshot-1.PNG
Description: PNG image

Attachment: Screenshot-2.png
Description: PNG image