Wireshark-dev: Re: [Wireshark-dev] Filebacked-tvbuffs : GSoC'13

From: Ambarisha B <b.ambarisha@xxxxxxxxx>
Date: Fri, 3 May 2013 15:07:53 +0530
On Thu, May 2, 2013 at 9:55 PM, Anders Broman <anders.broman@xxxxxxxxxxxx> wrote:

Hi,

I’m not sure I get you, it currently works something like this on the first pass:

A packet is read from the file, the frame data structure is built and the file pointer is preserved in fdata, a tvb is built with the packet data this tvb is passed to the first dissector,

The tvb may be manipulated(a new one created with different data or a sub tvb) this is then passed to the next dissector which might decide that part of this tvb is a fragment

And call the fragment function which makes a copy of it and stores it in a hashtable. The packet dissection ends, the tvb(s) are destroyed and the next packet is read.

If this packet completes the reassembly the fragments are merged and the fragments released, we now have a copy of the completed segment in the completed fragments hashtable.

 

Subsequent passes:

We now display packet x, the packet is re-read from file using the file offset in frame data, pinfo->visited is 1 so no reassembly is made. If this packet is a reassembled packet we will lookup

The data in the reassembled packets hashtable make a tvb from the stored buffer and display that tvb, this tvb is destroyed once we are done with the packet.


Thanks, that explanation puts what you were trying to say into perspective. I was thinking that the reassembly "lived" just for the first pass and the reassembled data is extracted from the tvb for subsequent passes.
 

Alternatively if the file is rewritten on the first pass writing the reassembled data together with the packet holding the last fragment the reassembled data could be read together with the packet

But that might have other problems and might require changes to the file format description (pcap-ng) some sort of prototyping to test the idea maybe?


If it is reassembled fragments themselves, we want to store (not tvbuffs), isn't this more appropriate than storing that data in separate files and maintaining file pointers into those separate files?

Thanks and regards,
Ambarish