Q about reassembly.

[Christian Hopps <chopps () chopps org>]

So with IPTFS (https://tools.ietf.org/html/draft-ietf-ipsecme-iptfs-00) I've got basically a packet stream inside an 
IPsec/ESP datagram packet stream. I've built various data structures to track out of order etc fragments as I get 
called for dissecting each IPTFS payload. When there's a full packet fragment inside the current payload I simply 
create a subset tvbuff and call "call_dissector" on the packet data, and this works for the full fragments.

Also, I think the right thing to do is also associate the fragmented IP packet whose data ends in the current IPTFS 
payload with that IPTFS payload. So:

===========================  \
end of IP-A packet end frag  |
---------------------------  |
  IP-B packet (full frag)    + IPTFS payload A
---------------------------  |
start of IP-C packet frag    |
===========================  /

Then when I am dissecting "IPTFS payload A" I will associate "IP-A" and "IP-B" with the payload. "IP-C" will be 
associate with the Payload that has the final bytes for it (IP-C).

So that's all good. Now, what I am not sure how to do is how to tell wireshark about "IP-A". Currently I track the 
frame numbers that contain all the data for "IP-A", but I don't know what to do with those numbers. I imagined I could 
maybe walk through the frame numbers calling something which would invoke call_dissector with a user data arg to gather 
the entire packet contents together, doing this all from within the IPTFS payload A dissect routine, and then with that 
new data in-hand call_dissector for the ip protocol using this new data.

Perhaps I should just create a new data source tvb, storing that with the first fragment packet, and copy subsequent 
data I discover into that new data source, then when I get all the data, in the final fragment payload, use that new 
data source to invoke the call_dissector on the inner IP packet? I didn't like this route b/c it disassociates the data 
from the fragments they came from, but maybe that's what I have to do?

Or something totally different? :)

I can't just use a TCP-like reassembler b/c the packets are not guaranteed to be in order so asking for "one more 
packet" and getting the previous packets data doesn't make any sense for me.

Anyone have some pointers on how to tell wireshark to "dissect" an IP packet with a data source spread over multiple 
non-linear packet sources?

Thanks,
Chris.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe