Wireshark-dev: Re: [Wireshark-dev] complex problem

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Marcel Haas <inf462@xxxxxxxxxxx>
Date: Wed, 26 Oct 2011 10:56:59 +0200
On Tue, 18 Oct 2011 13:49:55 -0400, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote: 
Marcel Haas wrote:
On Thu, 13 Oct 2011 09:03:38 -0400, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote: 
Marcel Haas wrote:

Hey,
maybe the problem isnt so complex to solve but its complex for me to explain. :) I have written my own reassemble code and it seems to work. But i have one big problem. If i set the filter and click apply, it works,because it goes trough every packet. And I get my reassemble msg after the packet but if now click at the reassemble packet there is now reassemble tvb. I know the reason for that cause he interpret every packet one on one 
Example:
Filter is set click at Apply
Packet: 1 -frag
Packet: 2 -frag
Packet: 3 -Reassemble (last frag)
If i click at Packet 3 he interprets only packet 3. He doesnt see packet 1 2 
and so he bulits now Reass Tvb.


The part about not seeing packets 1 and 2 when clicking on packet 3
is correct. You must do all your reassembly in the first pass (read: even when !tree--which it appears you're doing) and it must be stored 
in such a way that when it's (only) re-dissecting packet 3 it will
have the data from packets 1 and 2 available to it.  I suspect that
your custom reassembly routine isn't doing this latter part.
(Yes, this means that Reassembly requires using lots of memory. See 
http://wiki.wireshark.org/KnownBugs/OutOfMemory .)


___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx> 
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Hmm okay, but e.g. epan/dissectors/packet-atalk.c use the fragment_add_seq_check function after if(tree) :( 

Actually from what I saw of the code snippet you sent, I thought you
did NOT have the "reassembly inside if(tree)" problem.  That's why I
supposed your problem was the 2nd part: you need to store the
fragments the first (and only first) time you see the fragment.
pinfo->fd->flags.visited can be used as an indicator to tell your
dissector "we've seen this frame before, don't pass it to the
reassembly routines."

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe 

If have solved it last week..
now im using the wireshark reass function again .

i put the reass function befor If(tree) and its working.
I dont understand why it doesnt work after if(tree){} but its working fine now, so im happy :) 
Regards Marcel