Wireshark · Wireshark-dev: [Wireshark-dev] How to dissect TCP stream which emits multiple packets

Wireshark-dev: [Wireshark-dev] How to dissect TCP stream which emits multiple packets

From: Andrew Rukavishnikov <andrew.rukavishnikov@xxxxxxxxx>

Date: Thu, 13 Feb 2014 17:24:22 +0200

Hi,

I'am writing dissector for protocol over TCP stream which can emit morethan one packet per real TCP frame. For example lets assume that we haveethernet tunnel over TCP stream, and one TCP frame of length 15000 bytes(assume the capture with TSO on) can contain five or ten embeddedethernet packets. So I can successfully dissect this stream, can writeinfo about each packet to frame tree. But it is not possible to indicatesuch packet in frame list. And another case when I try to sub dissectemitted packets by ethernet dissector the system goes crazy and breaksTCP reassemble functionality.

What is a proper way to write such dissector? How can I indicate newframes to frame list? How not to break TCP reassemble functionality whensubdissecting nested packets?

The best approach I have found is to dump the emitted packets to anotherpcap file on dissection and then load it to wireshark. But this is ahard way.


Best regards,
--
Andrew Rukavishnikov

Prev by Date: [Wireshark-dev] tshark - z follow aborts after missing or broken package
Next by Date: Re: [Wireshark-dev] Automatically Expiring Old Gerrit Reviews
Previous by thread: [Wireshark-dev] tshark - z follow aborts after missing or broken package
Next by thread: [Wireshark-dev] $Id$ and git
Index(es):
- Date
- Thread