Wireshark-dev: Re: [Wireshark-dev] Troubles With Reassembly

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 21 Apr 2009 20:36:25 -0700

On Apr 20, 2009, at 8:19 AM, gogrady@xxxxxxxxx wrote:

There are 3 headers

BNP: uses one byte to tell if message is heartbeat, data, multi message start, multi message middle, multimessage end. And 2 bytes for the count of the data.

Message: 1 or 2 bytes after the BNP header. There is only 1 message per BNP.

SubMessages: 1 or 2 bytes for ID, 1 byte for cluster, 1 or 2 bytes for data count. There are many submessages under a Message.

In a packet, there can be many BNP messages (1 BNP message carries 1 Message which has many subMessages).

So is the length field in the BNP header the length of:

	the message that comes after the BNP header;

the message plus the BNP header (i.e., the length of the message, plus 3 for the 3-byte BNP header);

	something else?

I’m also running into problem with my multi messages. How they work is that when it’s a multimessage start, it has a BNP header, a Message header, and then goes into complete Submessage information. If it is a multimessage middle, it has a BNP header, then goes into complete multimessage information. If it is a multimessage end, it has a BNP header, message header, and complete Submessage information. What I want to do, if to take the whole message start buffer and save it somehow, then append on just the submessage part of the middle and end, then send it to be dissected.

In other words, you have *two* levels of reassembly:

1) the protocol runs atop TCP, so the BNP header+message could be split between TCP segments;

2) some higher-level stuff can be split across multiple BNP messages with the multimessage stuff?

If so, the stuff under 1) can probably be done with tcp_dissect_pdus() (depending on the answer to my question above), and the stuff under 2) would be at a completely different level and would require that you do your own reassembly.