Ethereal-dev: Re: [ethereal-dev] IP defragging and need for new container

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Uwe Girlich <Uwe.Girlich@xxxxxxxxxxx>
Date: Thu, 27 Jul 2000 07:38:33 +0200
Hello!

> So, I'm proposing a container, perhaps called "frame_dissection", which holds
> the proto_tree* that is filled out by dissect_packet(), and holds the tvbuff.
> The frame_dissection routines will be responsible for creating and deleting
> the
> tvbuff; dissect_packet() will no longer do it.
> 
> Thoughts? Tangents? Vetoes?
That's good but I have problems with more general things. I just looked up
how libnids-1.14 does the IP reassembling and found, that they simply 
copied the ip_fragment.[ch] from the linux kernel 2.0.36 and can so reassemble
all reasonable packets (including overlapping fragments and such wonderful
things like TCP header fragmentation to fool a firewall) but Ethereal should
be able to detect problems (at least I use it so), so I expect also lots of
fragments, which don't fit together or one double sended fragment with the
wrong offset or similar things. We need some kind of user interface so that
the user can corrent the reassembling until he thinks it is good.

Where should the decoded data tree appear? In the window of the first packet?
distributet over all fragments or would it be better to include a faked packet
after all fragmens were collected, which contains a TVBUFF_COMPOSITE tvbuffer?
The IP layer must be corrected in this newly created IP packet (the 'more
fragments' bit in the IP flags must be zeroed) but everything else could be
used from the fragment with the 0 fragment offset.

Uwe