Wireshark-dev: Re: [Wireshark-dev] Multiple Packets in One TCP Segment

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 14 Aug 2009 17:56:19 -0700

On Aug 14, 2009, at 1:56 PM, Susan Ditmore wrote:

I am developing a packet dissector plugin for Wireshark. The packets I am dissecting do not specify their length in their header, but they are terminated by a special character (and can be a variable length). Additionally, multiple complete packets of the protocol may arrive in one tcp segment. I would like to know how to tell wireshark to divide up these packets. I understand there is a command called tcp_dissect_pdus(), but I believe it needs the length specified in the header. Is this correct?

Yes, it's correct.

There are many different ways of putting messages into a byte stream, so that the receiver can carve the byte stream up.

One of them is to begin each message with a header that includes a message length, or that includes data (such as a message type) from which the message length can be inferred; tcp_dissect_pdus() handles that case. It does not handle other cases, as they have to be handled in a very different fashion.

You might look at req_resp_hdrs_do_reassembly() in epan/ req_resp_hdrs.c for code that handles a similar case - the headers for protocols such as HTTP continue up to a blank line.