Wireshark-dev: Re: [Wireshark-dev] composite tvbuffs
From: "Scott Mueller" <smueller@xxxxxxxxxxx>
Date: Mon, 27 Sep 2010 15:03:34 -0700
Doing my own message reassembly doesn't work because I have header
information I have to strip out in order to get a contiguous payload.
Here's a generalization of what I'm dealing with:

Message 1 header:
> indicates a size of message 1
> other data
Message 1 body:
> indicates that this is a multi-part message
> indicates payload length
> other data
> first part of payload

Message 2 header:
> indicates size of message 2
> other data
Message 2 body:
> second part of payload

...

Right now, I use tcp_dissect_pdus to aggregate the individual messages,
like Message 1 and Message 2 above. I then copy out the payload into an
allocated memory space so that I can dissect the payload as a tvbuff.

Best regards,

M. Scott Mueller

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Scott Mueller
Sent: Monday, September 27, 2010 1:43 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] composite tvbuffs

Hi Stephen,

Section 2.7.2 is basically about doing the work that tcp_dissect_pdus
does, and that is certainly an option. Large messages composed in the
way I described with my protocol (which uses TCP) are a special case; I
didn't want to re-work everything for this. Composite tvbuffs sounded
like a good way to deal with this. If they don't work, I'll have to bite
the bullet and do the work.

Thanks again,

Best regards,

M. Scott Mueller

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen Fisher
Sent: Friday, September 24, 2010 10:17 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] composite tvbuffs

On Fri, Sep 24, 2010 at 05:33:25PM -0700, Scott Mueller wrote:

> Thank you for your response. I'm working with a multi-layered protocol

> that relies on TCP/IP, and in some cases the contiguous payload that I

> need to work with is spread out across several well-formed messages.

Have you looked at the reassembly information in README.developer, 
specifically section 2.7.2, "Modifying the pinfo struct" ?  That may do 
the job for you, especially if the messages span multiple TCP segments.

The preceding section about using tcp_dissect_pdus could work too, but 
it's geared toward simple TCP reassembly.



________________________________________________________________________
___
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
________________________________________________________________________
___
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe