Wireshark-dev: Re: [Wireshark-dev] Wireshark dissector development - Reassembly tcp frames
On Tuesday 04 November 2014 11:48:03 Guillaume Ribière wrote:
> I read the readme.dissector and try using two methods:
>
> First method:
>
> tcp_dissect_pdus(tvb, pinfo, tree, dns_desegment, 2,
> get_dns_pdu_len, dissect_dns_tcp_pdu, data);
> return tvb_captured_length(tvb);
You would use this when your protocol has a well-defined packet message format
where the length of a packet can be determined from the beginning of a message.
Example: SSL has a record length notion. IIRC this will call dns_desegment
multiple times if a packet contains multiple PDUs ("messages").
> Second method :
>
> guint offset = 0;
> while(offset < tvb_reported_length(tvb)) {
> gint available = tvb_reported_length_remaining(tvb, offset);
> gint len = tvb_strnlen(tvb, offset, available);
>
> if( -1 == len ) {
> /* we ran out of data: ask for more */
> pinfo->desegment_offset = offset;
> pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
> return (offset + available);
> }
>
[..]
> offset += (guint)len;
> }
>
> /* if we get here, then the end of the tvb coincided with the end of a
> string. Happy days. */
> return tvb_captured_length(tvb);
This can be used if you do not know the length of the data onbeforehand. In the
above example, the a C string is NUL-terminated and you cannot know the full
length until you have read everything.
> But impossible to reassemble the message, I do not understand why ... can
> you help me please? I hope you understand my problem ...: /
What issue are you encountering? Be very careful not to return 0 from a
dissector as it means "I do not know this data, pass it to a different
dissector". If you set desegment_len to a fixed positive value other than
DESEGMENT_ONE_MORE_SEGMENT, then you won't be able to change the segment length
later.
--
Kind regards,
Peter
https://lekensteyn.nl
