Wireshark-dev: Re: [Wireshark-dev] behavior of tcp_dissect_pdus when protocol pdu is across tcp

From: Sudarshan Raghavan <sudarshan.t.raghavan@xxxxxxxxx>
Date: Tue, 25 Aug 2009 18:51:17 +0530
On Tue, Aug 25, 2009 at 5:53 PM, didier<dgautheron@xxxxxxxx> wrote:
> Hi,
> Le lundi 24 août 2009 à 17:37 -0700, Guy Harris a écrit :
>> On Aug 24, 2009, at 11:02 AM, Sudarshan Raghavan wrote:
>>
>> > How do I make tcp_dissect_pdus work correctly with chunks across TCP
>> > segments.
>>
>> Is it not working correctly now?  I've seen it work correctly for
>> other protocols, even with multiple messages within one TCP segment,
>> messages split across TCP segments, and messages split across TCP
>> segments with the last TCP segment having the end of one message
>> followed by other messages or the beginning of another message.
>
>>
>> Note that "working correctly" does not mean "calling your dissector
>> with a non-zero offset", it means "calling your chunk dissector with a
>> completely reassembled RTMP chunk, even if the chunk is split across
>> TCP segment boundaries or if there are parts of more than one RTMP
>> chunk (or complete RTMP chunks) in a TCP segment".
> >From previous Sudarshan mails I'm not sure it's his problem but
> tcp_dissect_pdus only works well with RPC like protocols ie:
> send request
> wait reply
> send request
> ...
>
> because there's 'bubbles' in the TCP pipe odds that a PDU starts at the
> TCP segment offset zero are good. It's important for finding the *first*
> dissected PDU, after that it's ok.
>
>
> Not so for 'stream' like protocols or if you have a lot of missing TCP
> segments, something like :

This is similar to the problem that I am facing. The core issue is
with TCP segments that wireshark fails to pick up and in a streaming
protocol like RTMP it breaks everything from that point onwards.

>
> desegment_foo(tvb, offset)
>
>        marker_ofs = find_marker(tvb, offset);
>        if (marker_ofs)
>                add_idem("continuation");
>        if (marker_ofs >= 0)
>                tcp_dissect_pdus(tvb, min_length, marker_ofs)
>
> may help
> Of course it doesn't deal with a marker across TCP but you get the idea.

Thanks for the suggestion. I was thinking about doing something on
similar lines too. The only problem is in finding RTMP markers. From
what I have seen in the protocol (spec and other packet captures)
there does not seem to be any given magic number or marker to work
with. Well, that is a problem for me figure out. Thanks for the
responses.

>
> You can do it in the get_pdu_len function, but it has other issues (like
> when the actual length of the continuation is smaller than the min
> length).
>
> Didier
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>