Wireshark-dev: [Wireshark-dev] Reassembling packets
Date: Tue, 7 Apr 2009 21:28:06 +0000
Hello helpful people,

I'm working on writing a dissector for my protocol. However, one of the message types within my protocol is a Multi-Part Message. The layout of the protocol is:

first byte is packet type: 1 - heartbeat, 2 - data, 3 - multi part start, 4- mp continuation, 5 - mp end
next 2 bytes are for the number of bytes of data there is in the data
next 1 or 2 bytes is the message ID
then the data sections

And so the data sections are submessages, which can get cut off in the middle if its a 3/4 packet type. There is a count section for the submessage that says how many bytes the submessage is, so i can compare that to the total count and can figure out how many bytes will be in the next message. when its a 4 or 5 packet type, the layout is:

packet type, 1 byte
number of bytes, 2 bytes
bytes from last packet,
...

The way i dissect is to take the buffer after the packet type/data count part (first 3 bytes) and send it to a dll to be decoded. I was thinking if i could take the first buffer and hold onto it so that i can put it after the second packets type/data count part, etc, and keep appending the buffer till the 05, and then send that to be decoded. Would this be possible? I am looking for a way to hold onto the buffer from the 03 packet type, ammend the 04 packet type buffers and finally have the whole buffer from the 03, 04's, and 05 messages combined into one large buffer. I hope this is clear. I read http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.html, but that's not quite what i'm looking for i dont think.

Thanks for any help,
Greg