Wireshark-dev: Re: [Wireshark-dev] tcp_dissect_pdus

From: "John R. Hogerhuis" <jhoger@xxxxxxxxx>
Date: Thu, 07 Sep 2006 09:03:45 -0700
On Thu, 2006-09-07 at 03:22 -0700, Guy Harris wrote:
> John R. wrote:
> > I have an issue with desegmentation of packets: if the minimal
header
> > required to judge length is broken across TCP segments A and B, at
> > segment A it decides properly to return expecting the remainder of
the
> > minimal header. In my problem case, the next tcp segment to arrive
has
> > the remainder of this packet and several others. It calls my pdu
> > measurement routine which through printf's I've determined is
properly
> > returning the length of the full PDU.
> 
> That length includes the minimal header, right?  I.e., a 30-byte PDU 
> would have a 5-byte minimal header plus 25 bytes of payload after the 
> minimal header; in that case, your routine should be returning 30,
not 
> 25, even if the length is determined by a value in the minimal
header, 
> and that value is the length of data *after* the minimal header
(i.e., 
> 25, in the example I gave).
> 

Right. There is a 5 byte header, and the value returned is the total PDU
length including the header.

> > Once segment B appears should tcp_dissect_pdus stay in the dissect
> > loop until all packets within it are decoded?
> 
> Yes (if by "within it" you mean "fully within it or previous TCP 
> segments"; the last packet might have the start, but not the end, in 
> that segment, in which case it can't dissect the last packet at that
point).
> 

In that case I think the problem is definitely below tcp_dissect_pdus.
The issue seems to be that tvb_ensure_length_remaining (I am not at my
client's but I think that is the name of the routine) called by
tcp_dissect_pdus is returning only the length of the header not the full
length of segment B. So once tcp_dissect_pdus finds out the length of
the PDU (36 bytes) it returns.

> Are TCP segments A and B in order in the capture?

Yes.

> 
> > What function calls my outer dissector that calls tcp_dissect_pdus?
> 
> decode_tcp_ports(), in epan/dissectors/packet-tcp.c.
> 
> It's called from process_tcp_payload(), also in 
> epan/dissectors/packet-tcp.c, and that's called by desegment_tcp()
and 
> dissect_tcp_payload(), also in epan/dissectors/packet-tcp.c. 
> dissect_tcp_payload() is called from dissect_tcp(), and it calls 
> desegment_tcp() if it can do desegmentation.
> 
> 

I've been poking around in the tcp dissector code. I'll let you know if
I come up with something useful.

Thanks,

-- John.