Wireshark-dev: Re: [Wireshark-dev] flagging gaps in sequence

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Thu, 17 Jul 2008 08:05:02 +0200
Hi,

That is a very poor way of doing that for several reasons.
1. There may be not only missing packets, but also out-of-sequence packets.
2. There may be more than one packet flow in the capture.

So, the solution is a bit more complex than this.
1. Make a linked list to track seen packet numbers, or make a tap.
2. Use conversations to track multiple packet flows.

Al this is described in the doc/README files and techniques can be found in various dissectors.

Thanx,
Jaap

Barnes, Pat wrote:
If you use a local static variable in the dissect_yourprot() function, it will store the number across packets. eg:
//don't expect this to compile, it's just a mock-up
static int dissect_yourprot(pinfo, tvb, tree) {
    static guint32 last_sequence_number = 0;
    guint32 sequence_number;
... sequence_number = tvb_get_ntohl(tvb, 2); if (last_sequence_number && sequence_number != last_sequence_number + 1) {
        //gap!
}
    last_sequence_number = sequence_number;
...
}
-Patrick
------------------------------------------------------------------------
*From:* wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] *On Behalf Of *Kwan Ng [LAVA]
*Sent:* Thursday, 17 July 2008 7:55 AM
*To:* wireshark-dev@xxxxxxxxxxxxx
*Subject:* [Wireshark-dev] flagging gaps in sequence

Hi,

I�m fairly new to Wireshark development...actually, I just started today.

I wrote a plugin for a UDP based protocol and it�s working fine. The protocol has a sequence number as the second field (4 bytes, offset = 2 bytes). The sequence numbers are sent sequentially, but since this is UDP, I am not guaranteed to receive all packets. How can I get the plugin to check for gaps in the sequence numbers?

Thanks.

Kwan Ng

Development Integration Specialist