Wireshark mailing list archives
Re: calculating PDU size of TCP message
From: "John Dill" <John.Dill () greenfieldeng com>
Date: Tue, 22 Jul 2014 12:09:06 -0400
Message: 3 Date: Mon, 21 Jul 2014 13:52:40 -0700 From: Guy Harris <guy () alum mit edu> To: Developer support list for Wireshark <wireshark-dev () wireshark org> Subject: Re: [Wireshark-dev] calculating PDU size of TCP message Message-ID: <937C9F55-5330-4553-85A3-51543AEEDBD1 () alum mit edu> Content-Type: text/plain; charset=iso-8859-1 On Jul 21, 2014, at 1:46 PM, "John Dill" <John.Dill () greenfieldeng com> wrote:I have a TCP message (that I reverse engineered) that contains blocks of the following type: ------------- | Data Type | 4 bytes ------------- | Payload Len | 4 bytes ------------- | Checksum | 4 bytes ------------- | Data | = Payload Len ------------- (repeats) Since I did not know about the underlying structure, I used tcp_dissect_pdus with a TCP header length of 12 bytes to be able to read a single block. tcp_dissect_pdus(tvb, pinfo, tree, desegment_tcp_messages, TCP_PAYLOAD_HDR_LENGTH, get_tcp_pdu_len, dissect_tcp_pdu); I have discovered that in general, this application layer message can have multiple blocksWhat do you mean by "this application layer message"?
I use "application layer" in reference to the OSI model as a protocol that sits on top of a transport protocol layer. An "application layer message" refers to a PDU that was desegmented from one or more TCP packets. Maybe PDU is the term I should use here.
If a "block" is ------------- | Data Type | 4 bytes ------------- | Payload Len | 4 bytes ------------- | Checksum | 4 bytes ------------- | Data | = Payload Len -------------
That is correct. Each of these "blocks" could probably be referred to as a PDU as well.
then presumably there's some *other* header that indicates which blocks are part of a given application layer message, or a convention that an application layer message consists of a sequence of blocks all of the same data type (so that a change in the data type is an indication that one application layer message ended and another began), or something such as that.
Unfortunately, there is no other header that identifies which blocks are part of a given application layer message. It is just a sequence of blocks. There are "control" messages sent from the client to the server, and "data" messages, both periodic and on-demand, from the server to the client and vice versa. Here are the scenarios that I see in the data. 1. A single TCP packet payload contains 1 block (for "control" messages or medium to smaller "data" messages). 2. Multiple TCP packets are desegmented to contain 1 block (for large "data" messages, up to a few KB). 3. A single TCP packet payload contains 2 or more blocks (for multiple "control" messages and smaller "data" messages).
Without knowing that, it will be impossible to do Frame Ethernet II Internet Protocol Version 4 Transmission Control Protocol Application Protocol Block 1 Block 2 Block ... Block N because Wireshark won't be able to determine where one application layer message begins and another ends.
I see. I originally thought I had a mistake in the dissector since it's the first time I've encountered multiple PDUs in a single TCP packet. I had expected them to all be in the same "Application Protocol" since that is what I've always seen before. Now it's clear what is going on. Thanks again, John Dill
<<winmail.dat>>
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- calculating PDU size of TCP message John Dill (Jul 21)
- Re: calculating PDU size of TCP message Guy Harris (Jul 21)
- <Possible follow-ups>
- Re: calculating PDU size of TCP message John Dill (Jul 22)