Wireshark-dev: Re: [Wireshark-dev] Reassembly of Split TCP packets - tcp_dissect_pdus() and "Fo
On Aug 12, 2009, at 11:52 PM, Selçuk Cevher wrote:
On the other hand, the development guide also says that a single TCP
segment can carry multiple application messages at the same time.
In this case, it can not be assumed that "the message header is at
the start of your TCP payload". Does it mean that there might be
multiple application layer headers in the payload of this single TCP
segment, and each application header may start from an arbitrary
location depending on the message size ?
Yes.
If a TCP segment with multiple application layer packets in it has, at
the beginning, the header of the first of those packets,
tcp_dissect_pdus() will handle that - it'll call the packet dissector
multiple times, once for each of the full packets in that segment.
If the last packet in the segment is continued in the next segment,
tcp_dissect_pdus() will start reassembly of that packet, so that when
tcp_dissect_pdus() is called with the next segment, it will continue
reassembly of that packet.
The only case tcp_dissect_pdus() doesn't handle is the one where the
first captured segment in the capture starts with something *other*
than the header of a packet; that would require that it be possible to
identify PDU headers heuristically and that it scan forward looking
for the first PDU header.