Doing my own message reassembly doesn't work because I have header
information I have to strip out in order to get a contiguous payload.
Here's a generalization of what I'm dealing with:
Message 1 header:
> indicates a size of message 1
> other data
Message 1 body:
> indicates that this is a multi-part message
> indicates payload length
> other data
> first part of payload
Message 2 header:
> indicates size of message 2
> other data
Message 2 body:
> second part of payload
...
Right now, I use tcp_dissect_pdus to aggregate the individual messages,
like Message 1 and Message 2 above. I then copy out the payload into an
allocated memory space so that I can dissect the payload as a tvbuff.
Best regards,
M. Scott Mueller
-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Scott Mueller
Sent: Monday, September 27, 2010 1:43 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] composite tvbuffs
Hi Stephen,
Section 2.7.2 is basically about doing the work that tcp_dissect_pdus
does, and that is certainly an option. Large messages composed in the
way I described with my protocol (which uses TCP) are a special case; I
didn't want to re-work everything for this. Composite tvbuffs sounded
like a good way to deal with this. If they don't work, I'll have to bite
the bullet and do the work.
Thanks again,
Best regards,
M. Scott Mueller
-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen Fisher
Sent: Friday, September 24, 2010 10:17 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] composite tvbuffs
On Fri, Sep 24, 2010 at 05:33:25PM -0700, Scott Mueller wrote:
> Thank you for your response. I'm working with a multi-layered protocol
> that relies on TCP/IP, and in some cases the contiguous payload that I
> need to work with is spread out across several well-formed messages.
Have you looked at the reassembly information in README.developer,
specifically section 2.7.2, "Modifying the pinfo struct" ? That may do
the job for you, especially if the messages span multiple TCP segments.
The preceding section about using tcp_dissect_pdus could work too, but
it's geared toward simple TCP reassembly.
________________________________________________________________________
___
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
________________________________________________________________________
___
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe