Wireshark-dev: Re: [Wireshark-dev] Reassembling packets

From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Date: Sat, 11 Apr 2009 15:54:13 -0400
It seems to me that you need to implement the equivalent of what
tcp_dissect_pdus() does for TCP reassembly.  You might have a look at
that function in packet-tcp.c.
 
> -----Original Message-----
> From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-
> bounces@xxxxxxxxxxxxx] On Behalf Of gogrady@xxxxxxxxx
> Sent: Tuesday, April 07, 2009 5:28 PM
> To: wireshark-dev@xxxxxxxxxxxxx
> Subject: [Wireshark-dev] Reassembling packets
> 
> Hello helpful people,
> 
> I'm working on writing a dissector for my protocol. However, one of
the
> message types within my protocol is a Multi-Part Message. The layout
of
> the protocol is:
> 
> first byte is packet type: 1 - heartbeat, 2 - data, 3 - multi part
> start, 4- mp continuation, 5 - mp end
> next 2 bytes are for the number of bytes of data there is in the data
> next 1 or 2 bytes is the message ID
> then the data sections
> 
> And so the data sections are submessages, which can get cut off in the
> middle if its a 3/4 packet type. There is a count section for the
> submessage that says how many bytes the submessage is, so i can
compare
> that to the total count and can figure out how many bytes will be in
> the next message. when its a 4 or 5 packet type, the layout is:
> 
> packet type, 1 byte
> number of bytes, 2 bytes
> bytes from last packet,
> ...
> 
> The way i dissect is to take the buffer after the packet type/data
> count part (first 3 bytes) and send it to a dll to be decoded. I was
> thinking if i could take the first buffer and hold onto it so that i
> can put it after the second packets type/data count part, etc, and
keep
> appending the buffer till the 05, and then send that to be decoded.
> Would this be possible? I am looking for a way to hold onto the buffer
> from the 03 packet type, ammend the 04 packet type buffers and finally
> have the whole buffer from the 03, 04's, and 05 messages combined into
> one large buffer. I hope this is clear. I read
>
http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.htm
> l, but that's not quite what i'm looking for i dont think.
> 
> Thanks for any help,
> Greg
>
_______________________________________________________________________
> ____
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-
> request@xxxxxxxxxxxxx?subject=unsubscribe
CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.