Wireshark · Ethereal-dev: Re: [Ethereal-dev] help with broken-up messages running atop TCP?

Ethereal-dev: Re: [Ethereal-dev] help with broken-up messages running atop TCP?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Thu, 8 May 2003 12:48:07 -0700

On Thu, May 08, 2003 at 01:44:23PM -0400, nak26 wrote:
> I decided to revisit our conversation...
> 
> >However, with the current scheme, "tcp_dissect_pdus()" would set the
> >reported length to the length from the header, causing the
> >"Unreassembled Packet" error to be reported with BoundsError and show up
> >as "Short Frame", rather than as "Malformed Packet" or "Unreassembled
> >Packet".
> 
> If it shows as "Unreassembled Packet", would that cause ethereal to
> reassemble the conversation.

What do you mean by "reassemble the conversation"? Reassembling the
conversation in its entirety, as "Follow TCP Stream" does, has nothing
to do with reassembling individual packets split across TCP segment
boundaries, as dissectors do when they use "tcp_dissect_pdus()".

> If not, how then calling tcp_dissect_pdus()
> would help me in reassembling broken-up messages. I guess, if you
> describing a use case would be most appreciated.

See "packet-dns.c" for an example of how to use "tcp_dissect_pdus()".

> >If the packet isn't being reassembled, "tcp_dissect_pdus()"
> 
> Following my previous question, how exactly the packet reassembly
> is triggered?

It's triggered by making the dissector use the reassembly mechanism -
having it use "tcp_dissect_pdus()" is, if it's possible at all, the
easiest way to do that - and enabling both TCP reassembly (that's a
protocol preference for TCP; it defaults to "not enabled") and
reassembly of the particular protocol if that happens to be a preference
item (it usually defaults to "enabled").

> When I right click on the "Short Frame" packet and choose followTCPstream I 
> see 
> the whole conversation. Can this be handed to my dissector as a tvb?

No.

> >I suspect that, in this case, your packets aren't getting reassembled,
> >for whatever reason. Is the TCP checksum valid?
> 
> The TCP checksum, as reported by Ethereal, is "correct".

Then I'd have to see

	1) your network trace

and

	2) your dissector

to figure out what's going wrong.

> Can you suggest something else besides calling tcp_dissect_pdus() that can 
> help in these situations.

The only alternative to calling "tcp_dissect_pdus()" is to do the stuff
it does yourself; some dissectors do so because "tcp_dissect_pdus()"
doesn't do things the way they need.

> README.developer mentions "conversations". Can they 
> be helpful in such cases?

No.  They only keep track of the conversation to which a TCP segment
belongs; they don't provide reassembly services of any sort.

References:
- RE: [Ethereal-dev] help with broken-up messages running atop TCP?
  - From: nak26

Prev by Date: RE: [Ethereal-dev] Dissecting a conversation.
Next by Date: [Ethereal-dev] My dissector and subdissector question
Previous by thread: RE: [Ethereal-dev] help with broken-up messages running atop TCP?
Next by thread: [Ethereal-dev] tap-protocolinfo fustration...
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$