Wireshark-dev: [Wireshark-dev] A plugin dissector and fragmented messages
From: Still Life <still.life@xxxxxxxx>
Date: Wed, 06 Sep 2006 18:07:05 +0200
Hi,
my name is Fabio and I'm from Genova, Italy.
I'm developing a plugin dissector for a protocol used by
a telephony over IP application on top of TCP protocol.
Packets have this format:

          |<-----------------myMsg------------------->|
|---------+--------+----+------------+--------+--||---+
|tcpHeader|55555555|0000|mesageLenght|messgeId|details|
|---------+--------+----+------------+--------+--||---+

I wrote with good results a dissector that dissect any signle
packet containing one ore more different type of message (messageID)
but when packets are fragmented I don't know what to do.

Example of fragmented Packets:

firstpacket:
|----------+--------+----+------------+--------+-----------+
|tcp header|55555555|0000|mesageLenght|messgeId|veryLong...|
|----------+--------+----+------------+--------+-----------+
           ^(offsetLastMsg)                                ^Fragment!
secondpacket:
|----------+----------+
|tcp header|...details|
|----------+----------+


firstpacket:
|----------+--------+--------+-||-+----------+--------+----+
|tcp header|myMsg(1)|myMsg(2)|... |myMsg(N-K)|55555555|0...|
|----------+--------+--------+-||-+----------+--------+----+
                                             ^offsetLastMsg^Fragment!
secondpacket:
|----------+------------------------+-||-+--------+
|tcp header|...myMsg(N-K+1)(partial)|... |myMsg(N)|
|----------+------------------------+-||-+--------+


The first tcp header is already dissected and the tvb passed
to my dissector start from the first 55555555.
With the use of tvb->length and the info present in each
if myMsg (mesageLenght) I'm able to determine if a packet
is fragmented.

In the two fragmented case, in the function
dissect_protocol(tvp,pinfo,tree) I would
like to save the current tvb fragmented portion:

if(fragmented reveal condition...)
{
    fragmented_flag=1;
    previous_tvb = tvb_new_subset(tvb , offsetLastMsg, -1, -1);
}

and when the second part arrive I would like to make a
complete_tvb that contain the new data, something like:

if(fragment_flag)
{
    complete_tvb = tvb_merge(previous_tvb, tvb);
}

and dissect complete_tvb instead of this one.

I read the developer manual, README.developer, other dissectors
code and search in the old message and on google but I
can't figure how to do that.
I read the "How to reassemble split packets" in the developer
manual and try to code something similar...but I was not able
to make it work.
I never do a similar work before, please, can someone help me?
Thanks in advance,
                  Fabio


--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f

Sponsor:
Refill srl il paradiso della tua stampante - cartucce e toner compatibili, inchiostri e accessori per la ricarica, carta speciale. Tutto a prezzi scontatissimi!
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=5187&d=6-9