TCP dissect issue when app-level message spans multiple TCP packets

["Fernandez, Rafael" <Rafael.Fernandez () citadelgroup com>]

Hi,

I am writing a dissector plugin and I am using tcp_dissect_pdus in order to reassemble packets. However, I am 
experiencing issues when there are multiple application layer messages in one packet and the last one is not complete. 
Specifically, I have 5 messages in one TCP packet. There are 5 calls to the get_pdu_len function and four calls to the 
dissect_pdu function. Since there is not enough data in the current tvbuff_t, tcp_dissect_pdus returns. When 
dissect_message is called again, the beginning of the message is lost. When get_pdu_len gets called again it reads a 
garbage size.

Per https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.html, I thought that tcp_dissect_pdus is 
supposed to handle this. I can't find example code in any dissector in /epan/dissectors/* that handles this unlike I 
am. Am I missing something?


This is part of my code:

void dissect_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
        if(pinfo->tcp_tree != NULL) {
                tcp_dissect_pdus(tvb, pinfo, tree, TRUE, MESSAGE_HEADER_SIZE,
                                 get_message_tcpmessage_len, dissect_message_tcpmessage);
        }
        else {
                // For UDP just print the data for now.
                call_dissector(data_handle, tvb, pinfo, tree);
        }
}

guint get_message_tcpmessage_len(packet_info *pinfo, tvbuff_t *tvb, int offset)
{
        if(tvb_length_remaining(tvb, offset) <= 8)
                return 0;

        gint32 size = tvb_get_letohl(tvb, offset)+MESSAGE_HEADER_SIZE;
        gint32 type = tvb_get_letohl(tvb, offset+4);
        printf("Len: %u type %d\n", size, type);
        if(strcmp(typeAsString(type), "Unknown") == 0)
        {
                return tvb_length_remaining(tvb, offset);
        }
        return size;
}

Thanks,
Rafael


Rafael Fernandez
131 South Dearborn Street, Chicago, Illinois 60603
T: 312-395-4224 | C: 312-485-4292
rafael.fernandez () citadelgroup com



CONFIDENTIALITY AND SECURITY NOTICE

The contents of this message and any attachments may be confidential and proprietary and also may be covered by the 
Electronic Communications Privacy Act. This message is not intended to be used by, and should not be relied upon in any 
way, by any third party.  If you are not an intended recipient, please inform the sender of the transmission error and 
delete this message immediately without reading, disseminating, distributing or copying the contents. Citadel makes no 
assurances that this e-mail and any attachments are free of viruses and other harmful code.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe