Wireshark-dev: Re: [Wireshark-dev] Multiple Packets in One TCP Segment

From: Aurélien Decagny <funtim78@xxxxxxxxxxx>
Date: Mon, 17 Aug 2009 20:22:49 +0200
When you use tcp_dissect_pdus, an argument is the length of the data to be decoded.
This apparently say to Wireshark to stop the analyze, and then call again the dissector for the end of the data.

Anyway, I used this function to reassemble TCP packets, and apparently this also allow Whireshark to treat a TCP packet with multiple segment of data in it

Regards

Aurelien Decagny



Date: Mon, 17 Aug 2009 11:52:48 -0400
From: sditmore@xxxxxxxxx
To: wireshark-dev@xxxxxxxxxxxxx
Subject: Re: [Wireshark-dev] Multiple Packets in One TCP Segment

Hi Again,

I read through these functions. Req_rsp_headers does reassemble packets spanning multiple tcp packets. However, the main functionality I was hoping to copy from it doesn't exist. The real problem isn't detecting the end of the packets, so much as simply displaying each one in a separate column/using a seperate prototree for it. I want to be able to tell wireshark "this is the end of the packet, I am done, whatever is left in this buffer is another packet, please start anew". How do I do that?

Thank you.

On Fri, Aug 14, 2009 at 8:56 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Aug 14, 2009, at 1:56 PM, Susan Ditmore wrote:

> I am developing a packet dissector plugin for Wireshark. The packets
> I am dissecting do not specify their length in their header, but
> they are terminated by a special character (and can be a variable
> length). Additionally, multiple complete packets of the protocol may
> arrive in one tcp segment. I would like to know how to tell
> wireshark to divide up these packets. I understand there is a
> command called tcp_dissect_pdus(), but I believe it needs the length
> specified in the header. Is this correct?

Yes, it's correct.

There are many different ways of putting messages into a byte stream,
so that the receiver can carve the byte stream up.

One of them is to begin each message with a header that includes a
message length, or that includes data (such as a message type) from
which the message length can be inferred; tcp_dissect_pdus() handles
that case.  It does not handle other cases, as they have to be handled
in a very different fashion.

You might look at req_resp_hdrs_do_reassembly() in epan/
req_resp_hdrs.c for code that handles a similar case - the headers for
protocols such as HTTP continue up to a blank line.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe



--
"To categorize is human; to distribute, divine."


Vous voulez savoir ce que vous pouvez faire avec le nouveau Windows Live ? Lancez-vous !