Wireshark-dev: Re: [Wireshark-dev] TCP and IP reassembling code

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 9 Apr 2014 09:57:38 -0700
On Apr 9, 2014, at 9:26 AM, Hadriel Kaplan <hadriel.kaplan@xxxxxxxxxx> wrote:

> On Apr 9, 2014, at 12:09 PM, Aaron Lewis <the.warl0ck.1989@xxxxxxxxx> wrote:
> 
>> Hi
>> 
>> Where can I find the TCP and IP reassembling code in Wireshark,
> 
> epan/reassemble.h
> epan/reassemble.c

...and the code that calls it in packet-ip.c, packet-ipv6.c, and packet-tcp.c.

Note that TCP reassembly is more complicated.  Most protocols that involve some form of fragmentation and reassembly define it at the protocol layer, so only the protocol's dissector is involved.  TCP, however, has no notion of packets in the service it offers; the service it offers is a byte stream with no packet boundaries in it, so reassembly involves both TCP *and* the protocol running atop it; that protocol specifies the packet boundaries in the byte stream, and its dissector needs to tell the TCP dissector when packets begin and end.

>> Is that re-usable?
> 
> Yes, it's used by a bunch of dissectors. (grep for 'reassembly_table_init')

I.e., "reusable" from within Wireshark.  It wasn't designed to be extracted from Wireshark and used elsewhere, if that's the re-use you have in mind; it might be possible to do so, but it'd be significant work.