Wireshark-dev: Re: [Wireshark-dev] Wireshark - rtp desegment

From: Richard van der Hoff <richard@xxxxxxxx>
Date: Thu, 15 Apr 2010 01:07:27 +0100
Hi Lajos,

I've copied in the wireshark dev mailing list, as others may be able to help with your query.

I think the problem is that you are calling rtp_add_address for each packet. The idea is that you call it once for an entire RTP conversation. Typically it is called by something like the SIP or H.323 dissectors when a new RTP stream is opened. If you're calling it from an RTP subdissector, that's wrong - the RTP dissector needs to have known about the RTP conversation before it calls your subdissector in order to correctly handle the reassembly.

It sounds like you are doing the right thing by setting desegment_offset and desegment_len, but because you are telling the RTP dissector to treat each packet as a new RTP stream, you will only ever see one packet at a time.

In the traffic flow you are trying to dissect, is there a protocol like SIP which sets up the RTP streams, or do you just have the RTP data? In short, what makes the RTP dissector pass the traffic on to your subdissector?

Best,

Richard



Lajos Oláh wrote:
Hi,
I'm Lajos Olah and I'm working on a dissector for dissecting MTP2 packets from RTP payload. I've seen Your modification in packet-rtp.c in the wireshark mailing list archive (_http://ipv4.wireshark.org/lists/wireshark-dev/200702/msg00302.html_) and I've asked Daniel to contact You on facebook to have Your e-mail address. Basically I would like You to comfirm weather I'm using the API in packet-rtp.h in the appropriate way hence - I've found no documentation how to use it and I'm not sure what I'm doing is OK. - Ive found some assertion and segmantation fault in Your code and I don’t want to debug it if it is a result of the inapropriate usage of the API. I have no problem with registering dynamic payload types for the RTP dissector, etc just with the appropriate method/order of calling Your functions. I've tried to use Your API in 2 ways. *At first:* - every time when my function which does the dissection fo MTP2 over RTP was called , I used the rtp_add_address to add the actual packet to the conversation database constructed in packet-rtp.c, parameters were:
        - actual pinfo
        - actual src ip address
        - actual src port
        - 0 (hence the dest port is a don't care)
        - "MTP2" (string as setup method)
        - actual frame number (pinfo->fd->num)
        - FALSE (for is_video)
- a GhashTable with a key-value "rtp.pt"-<dynamic payload type number>, example: "rtp.pt"-97 - when the dissection of the actual RTP payload is done and it ended in the middle of an MTP2 packet I set desegment_offset and desegment_len and returned. My problem is that with this method my dissector is never called with more than 40 bytes (which is the size of one RTP payload). I've looked into Your code and found out that You threat every packet as a different conversation because of this part: void srtp_add_address(packet_info *pinfo,
                     address *addr, int port,
                     int other_port,
const gchar *setup_method, guint32 setup_frame_number, gboolean is_video _U_, GHashTable *rtp_dyn_payload,
                     struct srtp_info *srtp_info)
…
…
if ( !p_conv || p_conv->setup_frame != setup_frame_number) { p_conv = conversation_new( setup_frame_number, addr, &null_addr, PT_UDP, (guint32)port, (guint32)other_port, NO_ADDR2 | (!other_port ? NO_PORT2 : 0));
        }
…
*This made me to try another usage of the API:* - I tried to determine in my dissector if a packet belonged to a conversation and in case if it did I called the rtp_add_addres with the frame number of the first packet in the conversation. It looks like this: conversation = find_conversation(pinfo->fd->num,&pinfo->src, &pinfo->dst,pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
        if (conversation == NULL) {
/* there was no conversation => this packet is the first in a new conversation => let's create it */ conversation = conversation_new(pinfo->fd->num,&pinfo->src, &pinfo->dst,pinfo->ptype, pinfo->srcport, pinfo->destport, 0); rtp_add_address(pinfo,&pinfo->src,pinfo->srcport,0,"MTP2",pinfo->fd->num,FALSE,hashtable);
        } else {
rtp_add_address(pinfo,&pinfo->src,pinfo->srcport,0,"MTP2",conversation->setup_frame,FALSE,hashtable);
        }
- Everything else, so the set of the desegment_len and desegment_offset was the same. With this method I've got segmentation fault and failed assertion however Your code seemed to do some desegmenting before it crashed. 15:35:56 Warn Dissector bug, protocol RTP, in packet 4: proto.c:3736: failed assertion "fixed_item->parent == tree"
Segmentation fault
After this I could not figure out another idea how to use the API. This is why I would like to ask You to tell me how to use it. Of course I don't wan You to write my code, just some hints if possible. Thanks in advance! Regards,



*LAJOS OLAH *
*System Test Engineer*

Ericsson Telecom Hungary
RFT/D
Budapest, Irinyi Jozsef Street 4-20
1017, Hungary
Phone +36309537333
lajos.olah@xxxxxxxxxxxx
_www.ericsson.com_





Ericsson Magyarország Kft., Székhely: Budapest, Laborc u.1. Nyilvántartó cégbíróság: Fővárosi Bíróság. Cégjegyzékszám: 01-09-070937

This Communication is Confidential. We only send and receive email on the basis of the term set out at _www.ericsson.com/email_disclaimer_ <http://www.ericsson.com/email_disclaimer>
------------------------------------------------------------------------


------------------------------------------------------------------------