Wireshark-dev: [Wireshark-dev] Wireshark dissector development - Reassembly tcp frames

From: Guillaume Ribière <deokamiyi@xxxxxxxxx>
Date: Tue, 4 Nov 2014 11:48:03 +0100

Just before starting, sorry for my english... i'm french.

I'm developing (in C language) a wireshark dissector to dissect a specific protocol to the company (it's owner of it) where I work but I have a problems when messages are several TCP frames ... I can not reassemble the messages when a message is broken into two different frames TCP, I can not reform it in one message...

I read the readme.dissector and try using two methods:

  • First method:

    tcp_dissect_pdus(tvb, pinfo, tree, dns_desegment, 2,
                get_dns_pdu_len, dissect_dns_tcp_pdu, data);
            return tvb_captured_length(tvb);
    
  • Second method :

    guint offset = 0;
        while(offset < tvb_reported_length(tvb)) {
            gint available = tvb_reported_length_remaining(tvb, offset);
            gint len = tvb_strnlen(tvb, offset, available);
    
            if( -1 == len ) {
                /* we ran out of data: ask for more */
                pinfo->desegment_offset = offset;
                pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
                return (offset + available);
            }
    
            col_set_str(pinfo->cinfo, COL_INFO, "C String");
    
            len += 1; /* Add one for the '\0' */
    
            if (tree) {
                proto_tree_add_item(tree, hf_cstring, tvb, offset, len,
                    ENC_ASCII|ENC_NA);
            }
            offset += (guint)len;
        }
    
        /* if we get here, then the end of the tvb coincided with the end of a
           string. Happy days. */
        return tvb_captured_length(tvb);
    

But impossible to reassemble the message, I do not understand why ... can you help me please? I hope you understand my problem ...: /