Wireshark-dev: [Wireshark-dev] Problems with dissecting fragmented packets
Hi , I'm writing a dissector for our LTE PHY packets. I have started working on fragmented packets. These are Ethernet packets that are fragmented with some proprietary limitation. Nevertheless we have a PI header (under the Ethernet header) that is always there in any fragment. The PI header contains what I thought is sufficient data for the fragment functions such as: size - the size of the PI message payload, Fragment (full, first, mid and last for indication as in what part of the fragmented packet are we) and sequence - message sequence index. I have used the "fragment_add_seq_check()" and the "process_reassembled_data()" functions to reassemble the packets but with no success. I get no reassembled packets. Only an indication on the fragments. I followed the "How to reassemble split packet" section 9.4 in the developers guide. I also went through the code over and over and see no problem. It seems that there is no use for the "LAST" indication of the fragmentation. After the last one I should have got a reassembled packet. I am adding screenshots of the capture: 1. All – 3 regular packets and then the data packet is fragmented into 4 packets 2. F1 – The first fragmented packet. Its fragment flag field is = “1” meaning FIRST 3. F2 – The second fragmented packet. Its fragment flag field is = “2” meaning MID (2 and 3 are the same) 4. F4 – The fourth fragmented packet. Its fragment flag field is = “3” meaning LAST. This is the indicator meaning there are no more fragments belonging to the packet. I have also added the part of the code I wrote for dissecting the fragments. You can also see on the screenshots, I have added a few prints: flags – fragment state, msg_seq – packet sequence, frag_msg and new_tvb. Any help will be much appreciated Yosi |
Attachment:
all.JPG
Description: all.JPG
Attachment:
f1.JPG
Description: f1.JPG
if(flags != FR_FULL) { tvbuff_t* new_tvb = NULL; fragment_data *frag_msg = NULL; guint16 msg_seq = tvb_get_ntohs(tvb,4) + 1; offset = len; msg_id = 1; proto_tree_add_text(tree, tvb, 0, -1,"msg_seq: %d",msg_seq); pinfo->fragmented = TRUE; frag_msg = fragment_add_seq_check(tvb,offset,pinfo,msg_id,dan_fragment_table, dan_reassembled_table,msg_seq,tvb_length_remaining(tvb,offset),(flags == FR_LAST)); if (frag_msg == NULL) proto_tree_add_text(tree, tvb, 0, -1,"frag_msg: %s","NULL"); else { if(frag_msg->next != NULL) proto_tree_add_text(tree, tvb, 0, -1,"frag_msg->next: %u",frag_msg->next); else proto_tree_add_text(tree, tvb, 0, -1,"frag_msg->next: %s","NULL"); } new_tvb = process_reassembled_data(tvb,offset,pinfo,"Reassembled Message",frag_msg, &dan_frag_items, NULL,tree); if(frag_msg) col_append_str(pinfo->cinfo, COL_INFO, "Message Reassembled"); else col_append_fstr(pinfo->cinfo, COL_INFO, "Message Fragment %u", msg_seq); proto_tree_add_text(tree, tvb, 0, -1,"new_tvb: %u",new_tvb); if (new_tvb) { next_tvb = new_tvb; dan_parse = TRUE; //dan_parse_frag = TRUE; } else next_tvb = tvb_new_subset(tvb,offset,-1,-1); } else { next_tvb = tvb_new_subset(tvb,offset,-1,-1); dan_parse = TRUE; } pinfo->fragmented = save_fragmented;
Attachment:
f4.JPG
Description: f4.JPG
Attachment:
f2.JPG
Description: f2.JPG
- Follow-Ups:
- Re: [Wireshark-dev] Problems with dissecting fragmented packets
- From: Jeff Morriss
- Re: [Wireshark-dev] Problems with dissecting fragmented packets
- Prev by Date: Re: [Wireshark-dev] foo dissector of the dev guide
- Next by Date: Re: [Wireshark-dev] foo dissector of the dev guide
- Previous by thread: Re: [Wireshark-dev] foo dissector of the dev guide
- Next by thread: Re: [Wireshark-dev] Problems with dissecting fragmented packets
- Index(es):