Wireshark-dev: Re: [Wireshark-dev] reassembling tcp streams to dissect netstrings
On 14 feb 2011, at 11:59, Toni Ruottu wrote:
> I am writing a plugin to dissect a TCP stream of netstrings. Examples
> of netstrings would include 5:hello, and 0:, See
> http://cr.yp.to/proto/netstrings.txt for details. Method
> tcp_dissect_pdus takes length of the data as a parameter, which is not
> a problem for the payload part, but how do I reassemble the stream up
> to the first ":", so I can read the length information?
That's also done by tcp_dissect_pdus:
(from epan/dissectors/packet-tcp.h)
/*
* Loop for dissecting PDUs within a TCP stream; assumes that a PDU
* consists of a fixed-length chunk of data that contains enough information
* to determine the length of the PDU, followed by rest of the PDU.
*
* The first three arguments are the arguments passed to the dissector
* that calls this routine.
*
* "proto_desegment" is the dissector's flag controlling whether it should
* desegment PDUs that cross TCP segment boundaries.
*
* "fixed_len" is the length of the fixed-length part of the PDU.
*
* "get_pdu_len()" is a routine called to get the length of the PDU from
* the fixed-length part of the PDU; it's passed "pinfo", "tvb" and "offset".
*
* "dissect_pdu()" is the routine to dissect a PDU.
*/
extern void
tcp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
gboolean proto_desegment, guint fixed_len,
guint (*get_pdu_len)(packet_info *, tvbuff_t *, int),
dissector_t dissect_pdu);
In short, you need to tell tcp_dissect_pdus the minimum amount of bytes that are always available and will contain enough information to determine the length of a PDU.
In your case the length is in itself of variable length, which makes using tcp_dissect_pdus impossible. Unless you can make sure all lengths are noted with a fixed length string, like "00005:Hello" and "00000:" for PDU's with a maximum size of 99999. If this is not possible, then you will need to use pinfo struct as can be read in paragraph 2.7.2 of "doc/README.developer"
Hope this helps,
Cheers,
Sake