Wireshark-users: Re: [Wireshark-users] How do you access the reassembled TCP PDU in Lua?
From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
Date: Mon, 13 Nov 2006 10:37:08 +1100
Bill,

If you are working on the TDS dissector,
could you also look into making the heuristics a bit stronger for this dissector?

It is fairly commong that the payload for certain bulk transport protocols are mistaken for TDS.



On 11/13/06, Bill Meier <> wrote:
>
> I am trying to write a tap for TDS packets in Lua and I am running into
> issues when the PDU is in multiple packets. Is there any way to access the
> reassembled TCP data?
>
> If you turn off reassembly, the first payload byte of each frame is
> dissected as a tds.type parameter. If you turn on reassembly, the tap
> triggers on the last packet of the message and you can't access the earlier
> packets that contain the RPC name and such
>
>

I don't know the answer to your question (not yet having explored how 'taps'
and LUA work).

FWIW I would like to note the following:

The "defragmentation" code in packet-tds.c doesn't work well.
(Defragmentation has to do with re-asssembling a query/response which
consists of multiple netlib 'packets').
Defragmentation is controlled by the TDS option "Reassemble fragmented TDS
messages..."
So: if you have large queries or response whose size exceeds the "network
packet size" (Sybase terminology) then Wireshark currently doesn't re-
assemble them properly (in many cases).
I've been working on a fix which I should be able to submit in a  week or so.

AFAIK TDS 'desegmentation" (building a "TDS Buffer" (aka "Netlib Packet")
from TCP segments works correctly.



With respect to your previous EMail:

> the TDS dissector does not create fields with the RPC name or
> parameters.

This might not be too difficult to implement. Which version of the TDS
protocol are you decoding ?
(or: what (Sybase, Microsoft) Server on what (Linux, Unix, Windows) platform
are you using ?

> Is anyone working on improving the tds dissector? It seems like freetds.org
> has all of the information needed to decode the parameters.

I've been doing some work in the background, but haven't had too much time
lately.


(Your work on doing query response time analysis sounds good. Some number of
years ago I wrote some fairly low-level code which takes raw sniffer capture
files and extracts info as to queries (rpc name or proc name or sql, time)
and query reponses (time).  Charts created from the data have helped me many
times to identify problems involving apps using Sybase servers inefficiently.
It would be nice to eventually have a way to do this using data derived from
Wireshark so that I can throw away my old code).


Bill Meier


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users