Wireshark mailing list archives
packet reassemle question
From: Lars Poeschel <poeschel () lemonage de>
Date: Fri, 16 Jan 2015 16:06:14 +0100
Hello! I try to implement a dissector for the 3gpp mux27010 protocol based on the siemens/cinterion mux27010 that is already available in wireshark. Besides some trivial things, the interesting part is the PPP HDLC frames that are carried inside those mux frames. I managed to reassemble the PPP HDLC frames in most cases. I can at the moment handle the case, where on mux frame encapsulates exactly one PPP HDLC frame. I can also handle big PPP HDLC frame that is spread across multiple mux frames, but where I am stuck at the moment is when a mux27010 frame encapsulates more than one PPP HDLC frame. What I do in dissect_mux27010 is this: frag_msg = fragment_add_seq_next(&msg_reassembly_table, tvb, offset, pinfo, 1, NULL, length, more); next_tvb2 = process_reassembled_data(tvb, offset, pinfo, "Reassembled PPP-HDLC message", frag_msg, &msg_frag_items, NULL, mux27010_tree); call_dissector(ppp_hdlc_handle, next_tvb2, pinfo, tree); This does the trick for both of the above mentioned cases, but if there are multiple PPP HDLC frames inside a mux frame this does not work. I have to do the above sequence for every PPP HDLC frame I recognize and sure it can not this way because I use the constant 1 as id to fragment_add_seq_next and the pinfo->fd->num is also the same, so the same hash is used for the msg_reassembly_table hash table and I get the same frag_msg everytime. The protocols frames give me no idea about wheter actual the frame is containing a first, a middle or a last part of the encapsulated protocol. There is no id, no sequence number - nothing. The PPP HDLC frames inside just use the value 0x7e as a mark where a frame ends or begins. Does anyone have an idea how I can do a correct dissection / reassembly in this case ? I thought about storing some internal state of the dissector somewhere and beeing then able to use different ids but this is propably also likely to fail. Another way I can think of is if there where a way to look back from one pinfo to their predecessors and see if there was this special case and to use another id then. But I see no way to look at previous pinfos during dissection. Are there other ideas ? Thanks, Lars ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- packet reassemle question Lars Poeschel (Jan 16)