On Sat, Jun 04, 2016 at 12:44:31AM +0300, Max Dmitrichenko wrote:
> Hi everybody!
>
> Sometime ago I wrote a dissector of TCP-based protocol, and I faced with
> the problem of TCP out-of-order frames. E.g.:
> 1) Duplicated packet
> 2) Out-of-order packet later followed by TCP retransmission
> 3) Simple reordering
> and so on.
>
> Most protocols seems to be tolerant to this. But if you protocol is
> encrypted or compressed, such event poisons the state of decoder or
> decompressor and most of times it is unrecoverable.
>
> Does wireshark have anything to handle this? If not is there any demand for
> such functionality from dissectors' authors?
The reassembly API can be used if a protocol cares about the ordering,
see epan/reassemble.h. Being able to accept out-of-order packets is
currently a bug/wishlist item
(https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9461).
Possible concerns that arise is increased memory usage and failure to
dissect any data if (say) the parts of the data is missing.
--
Kind regards,
Peter Wu
https://lekensteyn.nl