Wireshark-dev: Re: [Wireshark-dev] save_fragmented

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Mon, 28 Sep 2015 15:14:49 -0400
On 09/25/15 07:32, João Valverde wrote:
Hi,

What's the use case for save_fragmented? The documentation doesn't
explain why it's there:

https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.html

The context leads me to think that save_fragmented is only relevant in
this case because the example deals with a custom fragmentation protocol
over UDP...

Maybe for IP-in-IP it would be significant too but could someone please
clarify for me the intended usage?

Does something else happen using pinfo->fragmented after the IPv4/IPv6
dissector returns?

pinfo->fragmented is useful for exception processing: it should be set to TRUE when a subdissector is called on a fragment of a message so that, when that subdissector runs off the end of the (short) PDU (generating an exception), Wireshark will tell the user it's an "unreassembled packet" rather than a "malformed packet."

It should be set back to the saved value so that if there's another PDU in the frame (which might not be fragmented--yes, that would be weird in some protocols but it might be normal in others) then Wireshark will do the right thing if that PDU's subdissector (also) runs off the end of the TVB. That is, if the 2nd (non-fragmented) PDU's subdissector runs off the end of the TVB Wireshark will correctly report "malformed packet."