Wireshark-dev: [Wireshark-dev] A plugin dissector and fragmented messages
From: Still Life <still.life@xxxxxxxx>
Date: Mon, 30 Jun 2008 11:29:19 +0200
Hi, my name is Fabio and I'm from Genova, Italy. I'm developing a plugin dissector for a protocol used by a telephony over IP application on top of TCP protocol. Packets have this format: fmessage == one pdu (lenght=messagelenght+18) |<------------------------------------------>| | | |---------+--------+----+-------------+--------+--||---+ |tcpHeader|55555555|0000|messageLenght|messgeId|details| |---------+--------+----+-------------+--------+--||---+ | | |<------------------------->|<-------------->| First 18 byte needed to messageLenght determine the pdu lenght bytes A single tcp packet can contain one or more fmessage and can be fragmented. I wrote a dissector follow this chapter of the developers guide: <http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.html> When a single, large pdu is splitted over more TCP packet the reassembling procedure work fine. When a single tcp packet contain more pdus the dissection work fine over all the pdus. Problem arise in the following case with multiple pdu in the first TCP packet with the last pdu fragmented before the minimum size to determine his lenght (18 bytes): pdu3 fragmented! |<-------------...---------------------------> | This part is in another packet |---------+----+----+--------+----+...----------+--------+--||---+ |tcpHeader|pdu1|pdu2|55555555|0000|messageLenght|messgeId|details| |---------+----+----+--------+----+...----------+--------+--||---+ ^ FRAGMENTED HERE! (16 byte) The following TCP packet contain the other piece of the pdu3: |---------+-------------+--------+--||---+ |tcpHeader|messageLenght|messgeId|details| |---------+-------------+--------+--||---+ In the first packet pdu1 and pdu2 are correctly dissected in detail but the packet is not marked as frammented and the beginning of pdu3 is totally ignored. The packet with the other part of pdu3 is marked as [TCP segment of a reassembled PDU] and never reassembled. The pdu 3 is missed! Can anyone suggest me where I'm wrong and/or how to obtain reassembling work? My code is as the follow: ___________________________________________________ static const guint numberOfBytesNeededToKnowFmessageLenght = 18; /* The main dissecting routine */ static int dissect_phones_server(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { tcp_dissect_pdus(tvb, pinfo, tree, TRUE, numberOfBytesNeededToKnowFmessageLenght, //==18 get_phones_server_message_len, dissect_phones_server_message); return 1; } /* This method dissects fully reassembled messages */static int dissect_phones_server_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{ guint offset = 0; if (tree) { // DISSECTION DETAILS FOR THE FMESSAGE } return offset; } /* determine PDU length of protocol phones_server */ static guint get_phones_server_message_len(packet_info *pinfo, tvbuff_t *tvb, int offset) { guint messageLength = 0; messageLength = (guint)get_k_byte_from_n(tvb, offset+16, 2); return (messageLength+18); // 18 is the lenght of the header } ________________________________________________________ -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Gioca con i Supereroi Marvel sul cellulare! Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=7752&d=30-6
- Prev by Date: [Wireshark-dev] nlpid.h && q2119/x.263
- Next by Date: [Wireshark-dev] enhancement request
- Previous by thread: [Wireshark-dev] nlpid.h && q2119/x.263
- Next by thread: [Wireshark-dev] A plugin dissector and fragmented messages
- Index(es):