Wireshark-dev: [Wireshark-dev] A plugin dissector and fragmented messages
From: Still Life <still.life@xxxxxxxx>
Date: Mon, 30 Jun 2008 16:14:52 +0200
Hi,
I'm developing a plugin dissector for a protocol used by
a telephony over IP application on top of TCP protocol.
Wireshark version is 0.99.5.

Packets have this format:


           fmessage == one pdu (length=messagelength+18)
          |<------------------------------------------>|
          |                                            |
|---------+--------+----+-------------+--------+--||---+
|tcpHeader|55555555|0000|messageLength|messgeId|details|
|---------+--------+----+-------------+--------+--||---+
          |                                            |
          |<------------------------->|<-------------->|
           First 18 byte needed to     messageLength
           determine the pdu length    bytes



A single tcp packet can contain one or more fmessage and
can be fragmented.

I wrote a dissector follow this chapter of the developers guide:
<http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.html>

When a single, large pdu is splitted over more TCP packet the
reassembling procedure work fine.
When a single tcp packet contain more pdus the dissection work
fine over all the pdus.

Problem arise in the following case with multiple pdu in the first
TCP packet with the last pdu fragmented before the minimum size
to determine his length (18 bytes):

                              pdu3 fragmented!
                    |<-------------...--------------------------->
                    |               This part is in another packet
|---------+----+----+--------+----+...----------+--------+--||---+
|tcpHeader|pdu1|pdu2|55555555|0000|messageLength|messgeId|details|
|---------+----+----+--------+----+...----------+--------+--||---+
                                  ^
                                  FRAGMENTED HERE!
                                  (16 byte)

The following TCP packet contain the other piece of the pdu3:
|---------+-------------+--------+--||---+
|tcpHeader|messageLength|messgeId|details|
|---------+-------------+--------+--||---+


In the first packet pdu1 and pdu2 are correctly dissected in detail
but the packet is not marked as frammented and the beginning
of pdu3 is totally ignored last.
The packet with the other part of pdu3 is marked as
[TCP segment of a reassembled PDU]
and never reassembled.

The pdu 3 is missed!

Can anyone suggest me where I'm wrong and/or how to obtain
reassembling work?

My code is as the follow:
___________________________________________________

static const guint numberOfBytesNeededToKnowFmessageLenght = 18;

/* The main dissecting routine */
static int dissect_phones_server(tvbuff_t *tvb, packet_info *pinfo,
                                 proto_tree *tree)
{
    tcp_dissect_pdus(tvb, pinfo, tree, TRUE,
                     numberOfBytesNeededToKnowFmessageLenght, //==18
                     get_phones_server_message_len,
                     dissect_phones_server_message);
    return 1;
}


/* This method dissects fully reassembled messages */
static int dissect_phones_server_message(tvbuff_t *tvb, packet_info
*pinfo, proto_tree *tree)
{
    guint offset = 0;
    if (tree)
    {
        // DISSECTION DETAILS FOR THE FMESSAGE
    }

    return offset;

}

/* determine PDU length of protocol phones_server */
static guint get_phones_server_message_len(packet_info *pinfo, tvbuff_t
                                           *tvb, int offset)
{
    guint messageLength = 0;
    messageLength = (guint)get_k_byte_from_n(tvb, offset+16, 2);
    return (messageLength+18); // 18 is the lenght of the header
}
________________________________________________________


Thanks,
          Fabio



--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f

Sponsor:
VOGLIA DI VACANZE ? * A Riccione i Family Hotels sono gli alberghi specializzati per le vacanze dei bambini
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=8061&d=30-6