El vie, 4 feb 2022 a la(s) 13:44, Jérôme Hamm
(jerome.hamm@xxxxxxxxxxxxxxxxxxxx) escribió:
>
> Hi,
>
> I am working on ssh dissection. I am now trying to reassemble packets.
> Actually there are two levels of fragmentation when you use sftp.
> The first level are multiple tcp packets which contain data that must be
> decrypted (when you have the right crypto byte count, for example
> 32kiB).
> And then the decrypted data contains the sftp data (for example 32kiB
> worth of read file, which do not fit in the previously mentioned 32kiB
> because there are headers for sftp framing, leading to for example [not
> the real value] 32778 bytes), which need to be reassembled separately
> from the crypted data.
>
> How can I achieve this?
>
> If I am not mistaken, the packet_info structure is not recreated in my
> subdissector, so when I change the pinfo->desegment_offset I am actually
> overwriting the value I previously set for tcp reassembly, and all hell
> breaks loose.
Hmm... You can have application-level PDUs split into multiple TLS
records, and those TLS records split into multiple TCP segments, and
Wireshark already reassembles everything correctly in that situation.
Isn't your SSH case similar? Maybe you can look at the TLS dissector
to see how it handles that; I don't know how it works myself...
--
Nicolás