Wireshark-dev: Re: [Wireshark-dev] Troubles With Reassembly

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 22 Apr 2009 13:41:09 -0700

On Apr 22, 2009, at 1:29 PM, gogrady@xxxxxxxxx wrote:

no sorry, any count (bnp, or ie count) is only the data. so if a bnp message was actually 10 bytes long, the count would be 7.

Yes, that's what I said - a 3-byte BNP header and 250 bytes of BNP data would have a count in the BNP header of 250, and the total length of the packet, including the BNP header and the BNP data, would be 253.

Therefore, to reassemble BNP packets - not to reassemble multi-message stuff, just to reassemble the BNP header and data - you would use tcp_dissect_pdus() in the dissector that handles the BNP header. The fixed-length portion size handed to tcp_dissect_pdus() would be 3, to cover the BNP header, and the get_pdu_len routine would fetch the byte count from the BNP header, add 3 to it, and return the sum.

The dissector routine called by tcp_dissect_pdus() will be handed one BNP message - header plus data - at a time. That is exactly what it is supposed to do, and what it should be doing. It would dissect the BNP header, and then process the data appropriately. That might involve doing its own reassembly, over and above the BNP-message reassembly being done by the TCP dissector and tcp_dissect_pdus(), for the multi-message stuff.