Re: dissecting TCP packets with multiple PDUs

[Jeff Morriss <jeff.morriss.ws () gmail com>]

On Fri, Aug 5, 2016 at 1:39 PM, John Dill <John.Dill () greenfieldeng com>
wrote:

> One problem I have is that I'm creating multiple subtrees for a protocol
> when two PDUs are found in the same frame.  What's the best way to avoid
> this?
>
> \code
> gint
> dissect_mk32_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
> void *data)
> {
>   proto_tree *mk32_tree = NULL;
>   proto_item *ti;                 /* ti := tree item */
>   gint       offset = 0;
>
>   /*
>    * This is a high level dissector targeting a re-assembled TCP
>    * packet containing MK32 messages.  The main responsibilities
>    * of the dissector is to control the meta data displayed in the
>    * "Packet List" pane, and to display the packet contents in the
>    * "Packet Details" pane.  Typically, the dissection details of
>    * higher level protocol messages (MK32) and their contents are
>    * handled in message specific sub-dissectors.
>    */
>
>   /* Change the Protocol column to MK32 in addition to TCP. */
>   col_set_str(pinfo->cinfo, COL_PROTOCOL, "TCP/MK32");
>
>   /* Change the Info column to indicate what? */
>
>   /* Process the remaining data only if actively viewed in the
>      "Packet Details" pane (when 'tree != NULL'). */
>   if (tree)
>   {
>     ti = proto_tree_add_item(tree, proto_mk32, tvb, offset, -1,
> ENC_BIG_ENDIAN);
>     mk32_tree = proto_item_add_subtree(ti, ett_mk32);
>
>     mk32_dissect_messages(tvb, pinfo, offset, mk32_tree);
>   }
>   return tvb_length(tvb);
> }
> \endcode
>
> If the frame has multiple PDUs, I create multiple mk32_tree subtrees
> instead of just one.  Is there any recommended heuristic or method I should
> use to determine whether my PDU is in the same frame as another so that I
> don't make duplicate protocol subtrees, e.g. "if (tree &&
> <current_frame_has_not_already_processed_another_PDU_already>)"
>
> I thought about static variables, or maybe using the 'data' member.  Any
> suggestions?

I'd suggest not doing anything.  If there are multiple PDUs in the frame
then most dissectors will (and arguably should) show you multiple protocol
subtrees.  This helps make it obvious to the user that they've got 2 PDUs
in that frame...

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe