Wireshark-dev: Re: [Wireshark-dev] calculating PDU size of TCP message
From: "John Dill" <John.Dill@xxxxxxxxxxxxxxxxx>
Date: Tue, 22 Jul 2014 12:09:06 -0400
>Message: 3
>Date: Mon, 21 Jul 2014 13:52:40 -0700
>From: Guy Harris <guy@xxxxxxxxxxxx>
>To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
>Subject: Re: [Wireshark-dev] calculating PDU size of TCP message
>Message-ID: <937C9F55-5330-4553-85A3-51543AEEDBD1@xxxxxxxxxxxx>
>Content-Type: text/plain; charset=iso-8859-1
> 
> 
>On Jul 21, 2014, at 1:46 PM, "John Dill" <John.Dill@xxxxxxxxxxxxxxxxx> wrote:
> 
>> I have a TCP message (that I reverse engineered) that contains blocks of the following type:
>> 
>>  -------------
>> |  Data Type  | 4 bytes
>>  -------------
>> | Payload Len | 4 bytes
>>  -------------
>> |  Checksum   | 4 bytes
>>  -------------
>> |    Data     | = Payload Len
>>  -------------
>>    (repeats)
>> 
>>Since I did not know about the underlying structure, I used tcp_dissect_pdus
>>with a TCP header length of 12 bytes to be able to read a single block.
>> 
>> tcp_dissect_pdus(tvb, pinfo, tree, desegment_tcp_messages,
>>                  TCP_PAYLOAD_HDR_LENGTH,
>>                  get_tcp_pdu_len,
>>                  dissect_tcp_pdu);
>> 
>>I have discovered that in general, this application layer message can have
>>multiple blocks
>
>What do you mean by "this application layer message"?

I use "application layer" in reference to the OSI model as a protocol that
sits on top of a transport protocol layer.  An "application layer message"
refers to a PDU that was desegmented from one or more TCP packets.  Maybe
PDU is the term I should use here.

>If a "block" is
>
> -------------
>|  Data Type  | 4 bytes
> -------------
>| Payload Len | 4 bytes
> -------------
>|  Checksum   | 4 bytes
> -------------
>|    Data     | = Payload Len
> -------------

That is correct.  Each of these "blocks" could probably be referred to
as a PDU as well.

>then presumably there's some *other* header that indicates which blocks
>are part of a given application layer message, or a convention that an
>application layer message consists of a sequence of blocks all of the
>same data type (so that a change in the data type is an indication that
>one application layer message ended and another began), or something
>such as that.

Unfortunately, there is no other header that identifies which blocks
are part of a given application layer message.  It is just a sequence
of blocks.  There are "control" messages sent from the client to the
server, and "data" messages, both periodic and on-demand, from the
server to the client and vice versa.  Here are the scenarios that I
see in the data.

1.  A single TCP packet payload contains 1 block (for "control" messages
or medium to smaller "data" messages).

2.  Multiple TCP packets are desegmented to contain 1 block (for large
"data" messages, up to a few KB).

3.  A single TCP packet payload contains 2 or more blocks (for multiple
"control" messages and smaller "data" messages).

>Without knowing that, it will be impossible to do
>
>Frame
>Ethernet II
>Internet Protocol Version 4
>Transmission Control Protocol
>Application Protocol
>  Block 1
>  Block 2
>  Block ...
>  Block N
>
>because Wireshark won't be able to determine where one application layer
>message begins and another ends.

I see.  I originally thought I had a mistake in the dissector since it's
the first time I've encountered multiple PDUs in a single TCP packet.  I
had expected them to all be in the same "Application Protocol" since that
is what I've always seen before.  Now it's clear what is going on.

Thanks again,
John Dill

<<winmail.dat>>