On Wed, Feb 14, 2001 at 04:45:57PM -0600, David Frascone wrote:
> Do tvbuffers help solve the problem of tcp fragmenting the input stream?
They possibly help the one problem of tcp reassembly.
They do help the problem of reaching beyond the end of the packet
to grab data because the next dissector assumes that it has
a full packet.
The TVBUFF_COMPOSITE could be used to take multiple tvbuffs
(payloads of tcp fragments) and make a new tvbuff from them.
But there is no code to do that.
Furthemore, I don't know if that's the right approach for TCP.
For IP, I think it is, since a fragmented IP packet, when re-combined,
won't be that big and can be fit into memory.
TCP, being a stream, could have *many* fragments that when combined would
not fit comfortably in memory (think of an FTP or HTTP download of
a big file). Using TVBUFF_COMPOSITEs would require that the tvbuffs
be in memory. I don't know; perhaps a better approach for TCP would
be to do what "tcp follow" does and to save the stream to a file first.
Hmm, yeah. This intermediate "tcp follow" file could be written
in a format that wiretap understands, have a wtap type of WTAP_ENCAP_TCP,
and then be read in like any other file.... :)
But such code does not exist yet.
> Has this been handled by ethereal, or do I have to put a static buffer into
> my dissector.
Not yet, but it has been on the list of things-to-to forever.
--gilbert
