Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Wireshark dissector development - Reassembly tcp frames

From: Peter Wu <peter () lekensteyn nl>
Date: Wed, 05 Nov 2014 16:05:32 +0100
On Tuesday 04 November 2014 11:48:03 Guillaume Ribière wrote:

I read the readme.dissector and try using two methods:

   First method:

   tcp_dissect_pdus(tvb, pinfo, tree, dns_desegment, 2,
               get_dns_pdu_len, dissect_dns_tcp_pdu, data);
           return tvb_captured_length(tvb);


You would use this when your protocol has a well-defined packet message format
where the length of a packet can be determined from the beginning of a message.
Example: SSL has a record length notion. IIRC this will call dns_desegment
multiple times if a packet contains multiple PDUs ("messages").


   Second method :

   guint offset = 0;
       while(offset < tvb_reported_length(tvb)) {
           gint available = tvb_reported_length_remaining(tvb, offset);
           gint len = tvb_strnlen(tvb, offset, available);

           if( -1 == len ) {
               /* we ran out of data: ask for more */
               pinfo->desegment_offset = offset;
               pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
               return (offset + available);
           }


[..]

           offset += (guint)len;
       }

       /* if we get here, then the end of the tvb coincided with the end of a
          string. Happy days. */
       return tvb_captured_length(tvb);


This can be used if you do not know the length of the data onbeforehand. In the
above example, the a C string is NUL-terminated and you cannot know the full
length until you have read everything.


But impossible to reassemble the message, I do not understand why ... can
you help me please? I hope you understand my problem ...: /


What issue are you encountering? Be very careful not to return 0 from a
dissector as it means "I do not know this data, pass it to a different
dissector". If you set desegment_len to a fixed positive value other than
DESEGMENT_ONE_MORE_SEGMENT, then you won't be able to change the segment length
later.
-- 
Kind regards,
Peter
https://lekensteyn.nl

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: