Wireshark-dev: Re: [Wireshark-dev] foo dissector of the dev guide

From: Lange Jan-Erik <Jan-Erik.Lange@xxxxxxxxxxxxxx>
Date: Thu, 18 Nov 2010 11:22:19 +0100
You're right. I captured UDP Frames from my network. Now I'm working with these Frames an modify them in a HEX Editor for testing..
 
Thank you very much
 

Von: wireshark-dev-bounces@xxxxxxxxxxxxx [wireshark-dev-bounces@xxxxxxxxxxxxx] im Auftrag von Guy Harris [guy@xxxxxxxxxxxx]
Gesendet: Donnerstag, 18. November 2010 04:59
An: Developer support list for Wireshark
Betreff: Re: [Wireshark-dev] foo dissector of the dev guide


On Nov 16, 2010, at 2:16 AM, Lange Jan-Erik wrote:

I want to try the example dissector out of the dev guide of wireshark.
 
The dissector works with UDP on port 1234. But when I'm sending a UDP Frame with UDP Src 1234 und Dest 1234 (IPv4) then in the protocol section of the UI is labeled with IP only like you can see in the screenshot picture. Shouldn't it be labeled with FOO?

No, because they're IP fragments.  In order for the IP dissector to hand those packets to the UDP dissector, either:

1) if IP reassembly is disabled, those packets must be the first fragment - in the sense of having a fragment offset of 0 - of the fragmented datagram 

or

2) if IP reassembly is enabled, all the fragments must be present in the capture, so that the fragments can be reassembled, and those packets must be the last fragment - in the sense of "last fragment, chronologically" - of the fragmented datagram.

Those fragments do *not* have a fragment offset of 0, so they'll just be dissected as IP fragments unless the fragmented datagram can be reassembled.  In order for the IP datagram to be reassembled, IP reassembly must be enabled (which it is by default), and *all* of the fragments must be present; I don't see the other fragments in that capture.