Wireshark-dev: Re: [Wireshark-dev] problems with fragmented reassembly on tcp

From: Kristof Provost <Kristof.Provost@xxxxxxxxxx>
Date: Wed, 04 Oct 2006 18:59:11 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

I suspect it will be easier if you use the tcp_dissect_pdus() function.
If you can determine the message length without reading the entire
message (you can) that's the recommended approach.

See the README.developer file.

Disclaimer: I'm not a wireshark developer, I may be wrong.

Kristof

> Hi list,
> I'm fighting with tcp reassembling but i have always some
> problem. i have to dissect a protocol composed by different
> messages. Each message had a fixed size header (from 55555555
> to messgeId) and in mesageLenght there is the length of the
> messages.
> 
>             |<-----------------myMsg------------------->|
> |---------+--------+----+------------+--------+--||---+
> |tcpHeader|55555555|0000|mesageLenght|messgeId|details|
> |---------+--------+----+------------+--------+--||---+
> 
> In each packet captured by wireshark i can find more of this
> messages and the last messages in the packet's payload
> (can be a single long message as well) can be interrupted
> in avary point by packets fragmentation.
> 
> 
> I wrote a dissector in the following manner:
> 
> __________________________________________________
> if  (((gint)(tvb->length)) < 20)
> { 
> 
>      pinfo->desegment_offset = 0;
>      pinfo->desegment_len = -1;
>      return -1; 
> 
> } 
>                else 
> 
> { 
> 
>      fmessageHead = (guint32)get_k_byte_from_n(tvb, 0, 4); 
> 
>      messageId = (guint32)get_k_byte_from_n(tvb, 4, 4); 
> 
>      messageChecksum = (guint32)get_k_byte_from_n(tvb, 8, 4); 
> 
>      reservedBytes = (guint32)get_k_byte_from_n(tvb, 12, 4); 
> 
>      messageLength = (guint16)get_k_byte_from_n(tvb, 16, 2); 
> 
>      message = (guint16)get_k_byte_from_n(tvb, 18, 2); 
> 
>  
> 
>      if  (((gint)(tvb->length)) < (18 + messageLength))	 
> 
>      { 
> 
>         pinfo->desegment_offset = 0; 
> 
>         pinfo->desegment_len = -1; 
> 
>         return -1; 
> 
>      }
> } 
> 
>  
>                          [.....code needed to dissect the message's 
> details....]
> 
> if (((tvb->length) - offset) > 0)
> {
>     tvbuff_t* new_new_tvb;
>     new_new_tvb = tvb_new_subset(tvb , offset, -1, -1);
>     dissect_phones_vklone_server(new_new_tvb, pinfo,
>                          phones_vklone_server_tree);
>     return 1;
> }
> 
> _______________________________________________________
> 
> 
> My idea was to dissect the packet until  the end of the tvb is
> reached and if the offset remain less then tvb->length I
> call recursively the dissector on the remainig tvb's subset.
> At the top I recognize if there is a complete message's header
> or not and if yes I check if there is an entire message and ask
> for other bytes if needed.
> 
> I'm still having problem with some packets.
> Is right my approach? Did you notice some big mistake or
> have some suggestion for me?
> 
> 
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFI+hfUEZ9DhGwDugRA+F2AJ9kUpsof35C3/id45LrUgxgO6s5wgCeIHrC
gbz/CwSqTztxpl4FdmObBYk=
=Y3Nr
-----END PGP SIGNATURE-----