Wireshark · Ethereal-dev: Re: [Ethereal-dev] Dissector design question

Ethereal-dev: Re: [Ethereal-dev] Dissector design question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Martin Warnes <martin@xxxxxxxxxxxxxxxxx>

Date: Wed, 15 Feb 2006 20:36:29 +0000

Guy Harris wrote the following on 02/15/06 19:40:
> Michael J. Lynch wrote:
>> This question was triggered by a post from someone having trouble
>> getting message fragment re-assembly working.  The basic question I
>> have is, if I write a dissector for a protocol that rides on top of
>> another protocol (TCP for example) and the upper level protocol
>> does not in and of itself fragment messages but does send messages
>> large enough to cause them to be fragmented by the TCP layer, can
>> I count on the message being re-assembled by the TCP dissector
>> before it is handed off to my dissector?
>
> Not unless your dissector tells the TCP dissector to do so.
>
> TCP is a byte-stream protocol, and has no notion of packet boundaries,
> just TCP segment boundaries, which don't necessarily correspond to
> packet boundaries in packets running atop TCP.  As such, TCP cannot
> reassemble higher-level packets without help from the dissector for
> the protocol for those packets.
>
> Dissectors for protocols running atop TCP get handed TCP segment data;
> they are responsible for dealing with a TCP segment containing data
> from more than one packet, or containing less than the full data of a
> packet.
>
> If
>
>     1) packets in the protocol are always N bytes or longer;
>
>     2) the first N bytes of the packet can always be used to determine
> how long the packet is;
>
> then you can have your dissector call tcp_dissect_pdus() to do all
> that work - you just need to write a routine that will be handed a
> tvbuff and offset and process the "first N bytes", starting at that
> offset, to compute the length, and a routine that will be handed a
> tvbuff containing a reassembled packet and dissect it, and pass them,
> along with the value of N, to tcp_dissect_pdus().
>
>
Excellent! this pretty much fits my needs as well, and answers my
earlier question regarding problems I'm having reassembling packets. I
take a closer look at the tcp_dissect_pdus() function.

Thanks for the info.

Martin

----------------------------------------------------------
Scanned by ClamAV antivirus system - http://www.clamav.net
Virus signatures last updated: Wed Feb 15 19:30:04 2006

References:
- [Ethereal-dev] Dissector design question
  - From: Michael J. Lynch
- Re: [Ethereal-dev] Dissector design question
  - From: Guy Harris

Prev by Date: Re: [Ethereal-dev] Parsing PDML in Perl
Next by Date: [Ethereal-dev] HTTP chunked decoding patch
Previous by thread: Re: [Ethereal-dev] Dissector design question
Next by thread: Re: [Ethereal-dev] Dissector design question
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$