Wireshark-dev: Re: [Wireshark-dev] reasebling packets - dissector question

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 22 Feb 2009 14:01:16 -0800

On Feb 22, 2009, at 12:19 PM, יוני תובל wrote:

i mean , should i expect that my dissection logic receive an asembled buffer from the tcp_dissect_pdus?

For protocols running over TCP and using tcp_dissect_pdus(), you need, in effect, two dissectors:

1) the dissector called from the TCP dissector, which receives raw TCP segments, and calls tcp_dissect_pdus();

2) the dissector called from tcp_dissect_pdus(), which receives reassembled messages.

See, for example, the DNS dissector, in packet-dns.c; the first dissector is

	static void
	dissect_dns_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
	{
	  tcp_dissect_pdus(tvb, pinfo, tree, dns_desegment, 2, get_dns_pdu_len,
	        dissect_dns_tcp_pdu);
	}

and the second dissector is

	static void
dissect_dns_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
	{
	  if (check_col(pinfo->cinfo, COL_PROTOCOL))
	    col_set_str(pinfo->cinfo, COL_PROTOCOL, "DNS");

	  dissect_dns_common(tvb, pinfo, tree, TRUE, FALSE, FALSE);
	}

where "dissect_dns_common()" dissects a DNS message. The DNS-over-UDP dissector does

	static void
	dissect_dns_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
	{
	  if (check_col(pinfo->cinfo, COL_PROTOCOL))
	    col_set_str(pinfo->cinfo, COL_PROTOCOL, "DNS");

	  dissect_dns_common(tvb, pinfo, tree, FALSE, FALSE, FALSE);
	}

The first of the 3 Boolean arguments to dissect_dns_common() specifies whether this is DNS-over-UDP or DNS-over-TCP; for DNS-over-TCP, it assumes the message starts with a DNS-over-TCP header (with the message length), and dissects that as well.

If your protocol runs *only* over TCP, your second dissector could do all the dissection work, rather than calling a common routine.