Wireshark-dev: Re: [Wireshark-dev] Dissect multiple PDUs in one TCP Segment
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 23 May 2007 10:45:07 -0700
Robert Naumann wrote:
i'm new to the dissector developement for wireshark. I've read that it should be actually possible to dissect multiple PDUs from one TCP Segment with tcp_dissect_pdus(), but i don't get it working.
For example: i've got 2 different PDUs with different lengths (5 and 6). I already got the pdu lengths. The Length of the TCP Datasegment is 11. 

So for the first PDU the function:
tcp_dissect_pdus(tvb, pinfo, tree, TRUE, min_pdu_size, *first_pdu_size*, dissect_pdu_sc);
tcp_dissect_pdus() isn't called for every PDU; it's called *once* in the dissector for your protocol, and the argument you mark as "first pdu size" is a function that gets the PDU size of a PDU.
"min_pdu_size" should be the minimum amount of packet data needed to calculate the PDU size. For example, if every PDU starts with a 2-byte PDU type and a 2-byte PDU length, in that order, "min_pdu_size" should be 4, to include the PDU length. If the length comes *before* the type, it'd be 2.
If the value of the length field in the PDU includes the lengths of the type and length fields, and the fields are in big-endian order, then:
In the case where there's a type and length, in that order, the function to get the PDU size would be 

	static gint
	get_sc_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset)
	{
		return tvb_get_ntohs(tvb, offset + 2);
	}

and in the case where the length comes before the type, it'd be

	static gint
	get_sc_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset)
	{
		return tvb_get_ntohs(tvb, offset);
	}
Replace "tvb_get_ntohs()" with "tvb_get_letohs()" if the fields are in little-endian order.
If the value of the length field in the PDU *doesn't* include the lengths of the type and length field, you'd add 4 to the length field in the first of those functions and add 2 to the length field in the second of those functions.
so the first PDU with the correct size (proved) should be passed to the dissector function dissect_pdu_sc.
My first problem: ============= At the dissection of my top level protocol the PDU is marked as [Malformed Packet], why? Size is correct! bitstream show the complete data of my PDU 

So your function is returning the value 5 for the first PDU?
Is your dissector trying to dissect more than 5 bytes in the PDU? If so, it's acting as if the packet should be longer than 5 bytes long, and thus a 5-byte-long packet would be malformed. An attempt to fetch data past the end of the 5-byte tvbuff your dissector is handed will cause an exception to be thrown and your packet marked as malformed.
My second problem: =============== The second PDU within the the TCP Segment wont be dissected and not shown as a part of my top level protocol. Is the second PDU automatically processed 

Yes.
or do i have to call the function tcp_dissect_pdus() again?
No. It's called "tcp_dissect_pdus()", plural, not "tcp_dissect_pdu()", singular, because it's supposed to be handed all the data that's passed to the disector and dissects all the PDUs in that data.