Ethereal-dev: [Ethereal-dev] thoughts on reassembly...
I had a thought pop into my head this morning on a relatively
straightforward way to implement reassembly of packets/frags/etc. For what
follows, I'm assuming UDP-style only, although the basic approach would be
the same.
First, it depends on one thing - is there a way for dissectors to get at
data from previous frames?
The basic approach I was thinking of goes something like this: have a
'chunks' facility, similar to the conversations facility. When a dissector
sees that is has a partial frame/fragment/etc that it knows is part of
something larger, then it registers that sequence number/piece in the
structure.
As each frame comes in, if it sees that it's not whole, it looks up the
piece in the structure, if it finds a corresponding record, it adds it to
that record. It then passes that piece onto dissectors like always. Once
that is done, it then checks the record for completeness - if all the pieces
are registered, it then takes the data in that record, and creates a
pseudo-frame that contains the data from all, and passes THAT along to the
other dissectors.
i'd like to see it have some way of indicating in the display that this
frame is a reconstructed object, not a on-the-wire-one-piece object.
The structure I was thinking is something like:
Array of framesets: [
FrameSetID: (some identifier for the group of pieces)
TotalSize:
Array-Pieces[
frame_id - something that can be passed to a routine to get
the data from
a previous captured frame
frame_data_offset - offset in that frame where the stuff we
are
interested in starts (i.e. start of udp data if we
are
handling udp fragments)
frameset_data_offset - offset in the whole group of the
start of the data
frameset_data_length - length of data for the group
]
]
As each piece came in, it would be stuck in the pieces array for the
frameset, the check-for-completeness operation would look at the totalsize,
and all of the pieces, and see if the entire frameset was found. If it was,
it would allocate memory for the totalsize, and then go through each piece,
copying the data from fs_d_o for fs_d_l to the appropriate place in the
allocated memory, then pass that whole thing along to subdissectors as if it
were the frame that was received on the wire.
I'm sure there are lots of problems with the above approach, but I figured
I'd shoot it off. If nothing else, something I mentioned might be useful to
another developer.
-- Nathan
------------------------------------------------------------
Nathan Neulinger EMail: nneul@xxxxxxx
University of Missouri - Rolla Phone: (573) 341-4841
Computing Services Fax: (573) 341-4216