Wireshark mailing list archives
Re: Two-level PDU reassembly
From: Nicolás Alvarez <nicolas.alvarez () gmail com>
Date: Fri, 4 Feb 2022 23:52:31 -0300
El vie, 4 feb 2022 a la(s) 13:44, Jérôme Hamm (jerome.hamm () planete-sciences org) escribió:
Hi, I am working on ssh dissection. I am now trying to reassemble packets. Actually there are two levels of fragmentation when you use sftp. The first level are multiple tcp packets which contain data that must be decrypted (when you have the right crypto byte count, for example 32kiB). And then the decrypted data contains the sftp data (for example 32kiB worth of read file, which do not fit in the previously mentioned 32kiB because there are headers for sftp framing, leading to for example [not the real value] 32778 bytes), which need to be reassembled separately from the crypted data. How can I achieve this? If I am not mistaken, the packet_info structure is not recreated in my subdissector, so when I change the pinfo->desegment_offset I am actually overwriting the value I previously set for tcp reassembly, and all hell breaks loose.
Hmm... You can have application-level PDUs split into multiple TLS records, and those TLS records split into multiple TCP segments, and Wireshark already reassembles everything correctly in that situation. Isn't your SSH case similar? Maybe you can look at the TLS dissector to see how it handles that; I don't know how it works myself... -- Nicolás ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Two-level PDU reassembly Jérôme Hamm (Feb 04)
- Re: Two-level PDU reassembly Nicolás Alvarez (Feb 04)