Wireshark-dev: [Wireshark-dev] Reassembling fragmented messages
From: Francesco Jacomel <francesco.jacomel@xxxxxxxxx>
Date: Thu, 19 Jan 2012 17:53:57 -0200
Hi,
I've just subscribe to this list to find some successful experience on reassembling packets.
I'm trying to use the developers guide to help me on doing it, but I had no success until this moment.
I'm creating a new dissector and for simple messages it works fine, but nothing works neither when adding fragments in a hash table nor when reassembling the packets.
Let me show the incoming packets, at first, to make the problem more clear.
In the .log file -also created by myself-, I have the following:
The packet with the total size to be reassembled is this one
18:25:13.257000000 00 0C 00 05 AA FF 00 00 8F .........
Where 00 0C 00 05 means:
01 - TX
0C - My protocol
00 05 - 2 bytes length
And A0 12 00 00 8F means:
AA - Command class
FF - Instruction
00 - Don't care
00 - Don't care
>> 8F - The TOTAL length of the bytes to be received by the ME. <<
And as the answer from SIM card, I have the following:
18:25:13.264000000 01 0C 00 72 FF D0 81 8C 81 03 01 25 00 82 02 81 ................000010 82 85 0C 53 65 72 76 69 09 6F 73 20 54 49 4D 8F ................000020 0D 02 4D 65 75 20 4D 65 6E 75 20 54 49 4D 8F 05 ................000030 03 53 6F 6E 73 8F 07 04 43 61 6E 61 69 73 8F 0E ................000040 05 43 68 61 74 20 64 6F 20 62 6C 61 68 21 8F 08 ................000050 06 44 65 73 61 66 69 6F 8F 0A 07 41 67 65 6E 64 ................000060 61 20 4C 44 8F 0B 08 54 49 4D 20 41 67 65 6E 64 ................000070 61 8F 0C 09 54 49 ......
Where 01 0C 00 72 FF means:
01 - RX
0C - ISO7816-3 protocol
00 72 - 2 bytes length
FF - The instruction received for this answer being sent.
The FF is the received instruction value and the following bytes -from D0 to 49 - are part of HALF of full message.
The second and last part of the message is the following:
18:25:13.265000000 01 0C 00 20 4D 20 54 6F 72 70 65 64 6F 8F 0A 0B ................000010 54 49 4D 20 43 6F 66 72 65 8F 07 0C 45 2D 6D 61 ................000020 69 6C 9F FF ....
Where the first 4 bytes are the same header as the former but now there is no identification with any instruction received, since the only TX came in the first message, so we have:
TX -------------->
TX -------------->
<-------------- RX(PART 1)
<-------------- RX(PART 2)
Ok, so I need to sum part 1 (from 6th byte -'D0'- to the last byte -'49' ) with the part 2 (from 5th byte -'4D'- to the last -'6C'-)
Now, the code:
save_fragmented = pinfo->fragmented;pinfo->fragmented = TRUE;nRXCounter = pinfo->fd->num;
frag_msg = fragment_add_seq_check (tvb, 1, pinfo,
nRXCounter, // guint32 ID for fragments belonging together - Is the same for the two parts of the message.
iso7816_fragment_table, // list of message fragmentsiso7816_reassembled_table,// list of reassembled messagesnFrameCounter++, // guint32 fragment sequence number - static variable starting at 0 value, working fine.tvb_reported_length(tvb), // guint32 fragment length
!bGetNextRXFragment); // More fragments? */
bGetNextRXFragment = TRUE;
nLastRXLength = nLastRXLength-(len-3);pinfo->fragmented = save_fragmented;
In the first RX received, it will add the tvb in the hash table, but in the second, due to the bGetNextRXFragment = TRUE; it will call the fragment_add_seq_check with the last parameter being FALSE, what I understand is that I need to change it to FALSE when I know that there is no more fragments, right??
There is any other parameter to pass/set in this function to signalize that there are no more fragments and the message can be reassembled?
I tried to change everything, use another functions, but it doesn't work and frag_msg is NEVER a valid value, on the Wireshark I see only it adding fragments forever.
To check the answer for that, i have:
if (frag_msg) /* Reassembled */{col_append_str(pinfo->cinfo, COL_INFO,"REASSEMBLED");nFrameCounter = 0;}else /* Not last packet of reassembled Message */{col_append_fstr(pinfo->cinfo, COL_INFO,"(Message fragment # %u)", nFrameCounter++);}if(new_tvb){col_append_fstr(pinfo->cinfo, COL_INFO,"new_tvb OK");else{}col_append_fstr(pinfo->cinfo, COL_INFO,"* new_tvb NULL");}
And what I see in the Wireshark is :
8 18:25:13.264000 MyProtocol Equipment PROT 118 (Message fragment # 0)* new_tvb NULL
8 18:25:13.264000 MyProtocol Equipment PROT 118 (Message fragment # 0)* new_tvb NULL
9 18:25:13.265000 MyProtocol Equipment PROT 36 (Message fragment # 1)* new_tvb NULL
Does anyone know how can I check if I'm doing everything needed to reassemble the fragments with no problems? I'm doing something wrong but I could not find what.
Thanks in advance for you all.
--
Francesco Jacomel.
- Follow-Ups:
- Re: [Wireshark-dev] Reassembling fragmented messages
- From: Marcel Haas
- Re: [Wireshark-dev] Reassembling fragmented messages
- Prev by Date: Re: [Wireshark-dev] Ronnie's Wireshark presentation / attaching files to the Presentations page on the wiki
- Next by Date: Re: [Wireshark-dev] Ronnie's Wireshark presentation / attaching files to the Presentations page on the wiki
- Previous by thread: Re: [Wireshark-dev] GOOSE dissector update
- Next by thread: Re: [Wireshark-dev] Reassembling fragmented messages
- Index(es):