Wireshark-dev: [Wireshark-dev] A plugin dissector and fragmented messages
From: Still Life <still.life@xxxxxxxx>
Date: Mon, 30 Jun 2008 16:14:52 +0200
Hi, I'm developing a plugin dissector for a protocol used by a telephony over IP application on top of TCP protocol. Wireshark version is 0.99.5. Packets have this format: fmessage == one pdu (length=messagelength+18) |<------------------------------------------>| | | |---------+--------+----+-------------+--------+--||---+ |tcpHeader|55555555|0000|messageLength|messgeId|details| |---------+--------+----+-------------+--------+--||---+ | | |<------------------------->|<-------------->| First 18 byte needed to messageLength determine the pdu length bytes A single tcp packet can contain one or more fmessage and can be fragmented. I wrote a dissector follow this chapter of the developers guide: <http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.html> When a single, large pdu is splitted over more TCP packet the reassembling procedure work fine. When a single tcp packet contain more pdus the dissection work fine over all the pdus. Problem arise in the following case with multiple pdu in the first TCP packet with the last pdu fragmented before the minimum size to determine his length (18 bytes): pdu3 fragmented! |<-------------...---------------------------> | This part is in another packet |---------+----+----+--------+----+...----------+--------+--||---+ |tcpHeader|pdu1|pdu2|55555555|0000|messageLength|messgeId|details| |---------+----+----+--------+----+...----------+--------+--||---+ ^ FRAGMENTED HERE! (16 byte) The following TCP packet contain the other piece of the pdu3: |---------+-------------+--------+--||---+ |tcpHeader|messageLength|messgeId|details| |---------+-------------+--------+--||---+ In the first packet pdu1 and pdu2 are correctly dissected in detail but the packet is not marked as frammented and the beginning of pdu3 is totally ignored last. The packet with the other part of pdu3 is marked as [TCP segment of a reassembled PDU] and never reassembled. The pdu 3 is missed! Can anyone suggest me where I'm wrong and/or how to obtain reassembling work? My code is as the follow: ___________________________________________________ static const guint numberOfBytesNeededToKnowFmessageLenght = 18; /* The main dissecting routine */ static int dissect_phones_server(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { tcp_dissect_pdus(tvb, pinfo, tree, TRUE, numberOfBytesNeededToKnowFmessageLenght, //==18 get_phones_server_message_len, dissect_phones_server_message); return 1; } /* This method dissects fully reassembled messages */ static int dissect_phones_server_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { guint offset = 0; if (tree) { // DISSECTION DETAILS FOR THE FMESSAGE } return offset; } /* determine PDU length of protocol phones_server */ static guint get_phones_server_message_len(packet_info *pinfo, tvbuff_t *tvb, int offset) { guint messageLength = 0; messageLength = (guint)get_k_byte_from_n(tvb, offset+16, 2); return (messageLength+18); // 18 is the lenght of the header } ________________________________________________________ Thanks, Fabio -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor:VOGLIA DI VACANZE ? * A Riccione i Family Hotels sono gli alberghi specializzati per le vacanze dei bambini
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=8061&d=30-6
- Follow-Ups:
- Re: [Wireshark-dev] A plugin dissector and fragmented messages
- From: Still Life
- Re: [Wireshark-dev] A plugin dissector and fragmented messages
- Prev by Date: [Wireshark-dev] tshark and IEEE 802.11 Aggregated MPDU
- Next by Date: Re: [Wireshark-dev] Dissector global variable
- Previous by thread: [Wireshark-dev] A plugin dissector and fragmented messages
- Next by thread: Re: [Wireshark-dev] A plugin dissector and fragmented messages
- Index(es):