Wireshark-dev: Re: [Wireshark-dev] dissecting TCP packets with multiple PDUs

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Thu, 11 Aug 2016 11:14:21 -0400


On Fri, Aug 5, 2016 at 1:39 PM, John Dill <John.Dill@xxxxxxxxxxxxxxxxx> wrote:
One problem I have is that I'm creating multiple subtrees for a protocol when two PDUs are found in the same frame.  What's the best way to avoid this?

\code
gint
dissect_mk32_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
{
  proto_tree *mk32_tree = NULL;
  proto_item *ti;                 /* ti := tree item */
  gint       offset = 0;

  /*
   * This is a high level dissector targeting a re-assembled TCP
   * packet containing MK32 messages.  The main responsibilities
   * of the dissector is to control the meta data displayed in the
   * "Packet List" pane, and to display the packet contents in the
   * "Packet Details" pane.  Typically, the dissection details of
   * higher level protocol messages (MK32) and their contents are
   * handled in message specific sub-dissectors.
   */

  /* Change the Protocol column to MK32 in addition to TCP. */
  col_set_str(pinfo->cinfo, COL_PROTOCOL, "TCP/MK32");

  /* Change the Info column to indicate what? */

  /* Process the remaining data only if actively viewed in the
     "Packet Details" pane (when 'tree != NULL'). */
  if (tree)
  {
    ti = proto_tree_add_item(tree, proto_mk32, tvb, offset, -1, ENC_BIG_ENDIAN);
    mk32_tree = proto_item_add_subtree(ti, ett_mk32);

    mk32_dissect_messages(tvb, pinfo, offset, mk32_tree);
  }
  return tvb_length(tvb);
}
\endcode

If the frame has multiple PDUs, I create multiple mk32_tree subtrees instead of just one.  Is there any recommended heuristic or method I should use to determine whether my PDU is in the same frame as another so that I don't make duplicate protocol subtrees, e.g. "if (tree && <current_frame_has_not_already_processed_another_PDU_already>)"

I thought about static variables, or maybe using the 'data' member.  Any suggestions?

I'd suggest not doing anything.  If there are multiple PDUs in the frame then most dissectors will (and arguably should) show you multiple protocol subtrees.  This helps make it obvious to the user that they've got 2 PDUs in that frame...