Wireshark-dev: Re: [Wireshark-dev] complex problem

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Thu, 27 Oct 2011 10:53:13 -0400
Marcel Haas wrote:
On Tue, 18 Oct 2011 13:49:55 -0400, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:
Marcel Haas wrote:
On Thu, 13 Oct 2011 09:03:38 -0400, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:
Marcel Haas wrote:
Hey,
maybe the problem isnt so complex to solve but its complex for me to explain. :) I have written my own reassemble code and it seems to work. But i have one big problem. If i set the filter and click apply, it works,because it goes trough every packet. And I get my reassemble msg after the packet but if now click at the reassemble packet there is now reassemble tvb. I know the reason for that cause he interpret every packet one on one
Example:
Filter is set click at Apply
Packet: 1 -frag
Packet: 2 -frag
Packet: 3 -Reassemble (last frag)
If i click at Packet 3 he interprets only packet 3. He doesnt see packet 1 2
and so he bulits now Reass Tvb.

The part about not seeing packets 1 and 2 when clicking on packet 3
is correct.  You must do all your reassembly in the first pass (read:
even when !tree--which it appears you're doing) and it must be stored
in such a way that when it's (only) re-dissecting packet 3 it will
have the data from packets 1 and 2 available to it.  I suspect that
your custom reassembly routine isn't doing this latter part.

(Yes, this means that Reassembly requires using lots of memory.  See
http://wiki.wireshark.org/KnownBugs/OutOfMemory .)


___________________________________________________________________________

Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Hmm okay, but e.g. epan/dissectors/packet-atalk.c use the fragment_add_seq_check function after if(tree) :(

Actually from what I saw of the code snippet you sent, I thought you
did NOT have the "reassembly inside if(tree)" problem.  That's why I
supposed your problem was the 2nd part: you need to store the
fragments the first (and only first) time you see the fragment.
pinfo->fd->flags.visited can be used as an indicator to tell your
dissector "we've seen this frame before, don't pass it to the
reassembly routines."

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

If have solved it last week..
now im using the wireshark reass function again .

i put the reass function befor If(tree) and its working.
I dont understand why it doesnt work after if(tree){} but its working fine now, so im happy :)

The problem is that the code inside if(tree) does not necessarily see every frame (because tree is generally NULL on the first complete pass through the file). Reassembly has to see every frame in order to work.