Wireshark-users: Re: [Wireshark-users] DNP3 message spanning multiple TCP packets bug

From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>
Date: Wed, 06 Jul 2011 10:13:09 +0100
On 06/07/2011 07:48, Sake Blok wrote:
On 5 jul 2011, at 22:42, Graeme Melia wrote:

I am using Wireshark to to monitor a multi-serial port device that
communicates to a server via IP.

The outgoing TCP messages from the server has the DNP3 message embedded,
usually in one packet.

The incoming DNP3 messages are being broken up so that each byte is a
single TCP packet, or a 23 byte DNP3 message becomes 23 TCP packets each
with a payload of 1 data byte.

The problem is that the Wireshark DNP3 dissector is not reassembling the
original DNP3 message.  I have checked the DNP3 option to reassemble
messages split across multiple TCP packets and the TCP setting to allow
subdissector to reassemble TCP streams.

Is this a bug or have I missed something?
Without looking at the packets, it's hard to tell. You might want to try an automated build[1], as there has been done some work on DNP reassembly after 1.6.0 came out. If that does not solve your issue, please post a (small) capture file showing the problem to bugs.wireshark.org so it can be checked whether it is a bug (or an enhancement request :-)).

Cheers,


Sake

As Sake mentioned some work has been done on the DNP3 dissector to improve this.  I do this very thing most days and it works OK for me using trunk.  Can you check if a recent automated build fixes your problem?  If it doesn't, raise a bug on the Wireshark Bug tracker (https://bugs.wireshark.org/bugzilla/) and attach a capture illustrating the problem.  The capture can be marked as private if you don't want the world to see it.

-- 
Regards,

Graham Bloice