Wireshark-dev: Re: [Wireshark-dev] Multiple Packets in One TCP Segment

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Susan Ditmore <sditmore@xxxxxxxxx>
Date: Mon, 17 Aug 2009 11:52:48 -0400
Hi Again,

I read through these functions. Req_rsp_headers does reassemble packets spanning multiple tcp packets. However, the main functionality I was hoping to copy from it doesn't exist. The real problem isn't detecting the end of the packets, so much as simply displaying each one in a separate column/using a seperate prototree for it. I want to be able to tell wireshark "this is the end of the packet, I am done, whatever is left in this buffer is another packet, please start anew". How do I do that?

Thank you.

On Fri, Aug 14, 2009 at 8:56 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Aug 14, 2009, at 1:56 PM, Susan Ditmore wrote:

> I am developing a packet dissector plugin for Wireshark. The packets
> I am dissecting do not specify their length in their header, but
> they are terminated by a special character (and can be a variable
> length). Additionally, multiple complete packets of the protocol may
> arrive in one tcp segment. I would like to know how to tell
> wireshark to divide up these packets. I understand there is a
> command called tcp_dissect_pdus(), but I believe it needs the length
> specified in the header. Is this correct?

Yes, it's correct.

There are many different ways of putting messages into a byte stream,
so that the receiver can carve the byte stream up.

One of them is to begin each message with a header that includes a
message length, or that includes data (such as a message type) from
which the message length can be inferred; tcp_dissect_pdus() handles
that case.  It does not handle other cases, as they have to be handled
in a very different fashion.

You might look at req_resp_hdrs_do_reassembly() in epan/
req_resp_hdrs.c for code that handles a similar case - the headers for
protocols such as HTTP continue up to a blank line.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe



--
"To categorize is human; to distribute, divine."