Wireshark-dev: [Wireshark-dev] A plugin dissector and fragmented messages

From: Still Life <still.life@xxxxxxxx>
Date: Mon, 30 Jun 2008 11:29:19 +0200
Hi,
my name is Fabio and I'm from Genova, Italy.
I'm developing a plugin dissector for a protocol used by
a telephony over IP application on top of TCP protocol.
Packets have this format:


           fmessage == one pdu (lenght=messagelenght+18)
          |<------------------------------------------>|
          |                                            |
|---------+--------+----+-------------+--------+--||---+
|tcpHeader|55555555|0000|messageLenght|messgeId|details|
|---------+--------+----+-------------+--------+--||---+
          |                                            |
          |<------------------------->|<-------------->|
           First 18 byte needed to     messageLenght
           determine the pdu lenght    bytes



A single tcp packet can contain one or more fmessage and
can be fragmented.

I wrote a dissector follow this chapter of the developers guide:
<http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.html>

When a single, large pdu is splitted over more TCP packet the
reassembling procedure work fine.
When a single tcp packet contain more pdus the dissection work
fine over all the pdus.

Problem arise in the following case with multiple pdu in the first
TCP packet with the last pdu fragmented before the minimum size
to determine his lenght (18 bytes):

                              pdu3 fragmented!
                    |<-------------...--------------------------->
                    |               This part is in another packet
|---------+----+----+--------+----+...----------+--------+--||---+
|tcpHeader|pdu1|pdu2|55555555|0000|messageLenght|messgeId|details|
|---------+----+----+--------+----+...----------+--------+--||---+
                                  ^
                                  FRAGMENTED HERE!
                                  (16 byte)

The following TCP packet contain the other piece of the pdu3:
|---------+-------------+--------+--||---+
|tcpHeader|messageLenght|messgeId|details|
|---------+-------------+--------+--||---+


In the first packet pdu1 and pdu2 are correctly dissected in detail
but the packet is not marked as frammented and the beginning
of pdu3 is totally ignored.
The packet with the other part of pdu3 is marked as
[TCP segment of a reassembled PDU]
and never reassembled.

The pdu 3 is missed!

Can anyone suggest me where I'm wrong and/or how to obtain
reassembling work?

My code is as the follow:
___________________________________________________

static const guint numberOfBytesNeededToKnowFmessageLenght = 18;

/* The main dissecting routine */
static int dissect_phones_server(tvbuff_t *tvb, packet_info *pinfo,
                                 proto_tree *tree)
{
    tcp_dissect_pdus(tvb, pinfo, tree, TRUE,
                     numberOfBytesNeededToKnowFmessageLenght, //==18
                     get_phones_server_message_len,
                     dissect_phones_server_message);
    return 1;
}


/* This method dissects fully reassembled messages */
static int dissect_phones_server_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
    guint offset = 0;
    if (tree)
    {
        // DISSECTION DETAILS FOR THE FMESSAGE
    }

    return offset;

}

/* determine PDU length of protocol phones_server */
static guint get_phones_server_message_len(packet_info *pinfo, tvbuff_t
                                           *tvb, int offset)
{
    guint messageLength = 0;
    messageLength = (guint)get_k_byte_from_n(tvb, offset+16, 2);
    return (messageLength+18); // 18 is the lenght of the header
}
________________________________________________________



--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f

Sponsor:
Gioca con i Supereroi Marvel sul cellulare!
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=7752&d=30-6