Wireshark-dev: Re: [Wireshark-dev] A question related to conversations
From: Richard Achmatowicz <rachmato@xxxxxxxxxx>
Date: Wed, 16 Jul 2008 12:58:44 -0400 (EDT)
Qualifier: Concerning the fact that TCP segments are never reassembled in my example, I think I found the answer. JGroups generally writes a length field followed by data when writing to the TCP stream - except in one case - when it initially opens a TCP connection. It does it's own little handshake with the remote peer, and this handshake packet does not include a length field. I assume that my dissector is interpreting it as a length field (and it turns out to be a huge length) and so segment reassembly is failing for that reason. Richard ----- Original Message ----- From: "Richard Achmatowicz" <rachmato@xxxxxxxxxx> To: "Developer support list for Wireshark" <wireshark-dev@xxxxxxxxxxxxx> Sent: Wednesday, July 16, 2008 12:00:44 PM GMT -05:00 US/Canada Eastern Subject: Re: [Wireshark-dev] A question related to conversations Sake Thanks for your help so far. 1. JGroups can use UDP or TCP as a transport, but not both. Assume for the time being that it uses TCP only. 2. By a two process interaction, I just mean a TCP connection between some addr1/port1 and some addr2/port2. I initially wrote a dissector which worked for UDP packets which contained a single, complete JGroups PDU. Because of TCP segmentation, I had to modify this dissector to call tcp_dissect_pdus() before calling the JGroups PDU dissector, so that TCP segment reassembly could take place. With this in place, I get captures which look like the attached screenshot (JGroupsDissector). For example, packets 22,23,24 are the start of a TCP connection between 192.168.0.101:46272 and 192.168.0.101:asr. Packets 25, 27 and 29 are JGroups PDUs being sent from 46272 to asr; packet 31 is a JGroups PDU being sent from asr to 46272. Only the packet from asr to 46272 is dissected as a JGroups PDU; the packets from 46272 to asr are not. This is consistent throughout the whole dissection. This is what I meant by "only one side of the exchange is being dissected". On the other hand, for the TCP packets from 46272 to asr, they are marked as "TCP segment of a reassembled PDU" - but never seem to get processed as a JGROUPS PDU. I assume that these reassembled PDU messages are a result of using tcp_dissect_pdus(). Does this look suspicious? In the dissector, I have registered the dissector with TCP using a specified TCP port. In the example screenshot, it is set to the value of asr (actually 7800). If I change the specified TCP port to 1234, no JGROUPS level dissection takes place. So one question: if TCP creates the conversations automatically, how does Wireshark know to apply the JGROUPS dissector to both directions of a conversation, which I specifically associated the disector with a single port (which happens to be the port of one side of the connection)? Richard ----- Original Message ----- From: "Sake Blok" <sake@xxxxxxxxxx> To: "Developer support list for Wireshark" <wireshark-dev@xxxxxxxxxxxxx> Sent: Tuesday, July 15, 2008 5:57:37 PM GMT -05:00 US/Canada Eastern Subject: Re: [Wireshark-dev] A question related to conversations On Tue, Jul 15, 2008 at 11:06:58AM -0400, Richard Achmatowicz wrote: > > I've created a basic dissector for the JGroups group communication > protocol which can dissect JGroups PDU when running atop TCP or UDP. At > present, the dissection is based on specifying a port number (either udp > port or tcp port, depending on the transport used) in the preferences > section, in order to indicate to wireshark which packets it captures > should have the JGroups PDU dissector applied. However, this results in > PDUs in only one direction of a two process interaction to be dissected. As I am not aware of the way JGroups communication is implemented, could you explain what you mean with "two process interaction". Do the two processes communicate over 1 TCP or UDP "connection"? If this is true then the dissection of both sides of a TCP connection should be dissected as the tcp dissector creates a conversation per tcp connection. For an UDP session, the protocol atop UDP is responsible for creating a conversation to link returning traffic to the same dissector. > I'm trying to achieve two things at present: > (i) as a first step, have both directions of a two process interaction > dissected See above, for tcp sessions it should work automagically and for udp sessions, you should use conversations. Have a look at the doc/README.developer file under chapter 2.2 > (ii) as a second step, within the larger context of a two process > interaction, where we can view the interaction as consisting of a > sequence of known, prototcol specific phases (e.g in the case of > JGroups, discover peers, join group, exchange data with group members, > leave group) Are all these interactions separate TCP/UDP sessions? Or are they phases within one session? If they are phases within one TCP/UDP session, you can add state information to the conversation. Make you only update state information when the flag pinfo->fd->flags.visited is FALSE, as packets will be read once in sequence (with this flag FALSE) and then can be accessed randomly when a user clicks on a packet (then the flag will be TRUE). > I want to be able to have wireshark identify and mark > those phases, say, with colours Once you have dissected all the data and added fields, people can then creat coloring rules for these fields/values. It is not possible to let the dissector change the coloring of packets. > I'll limit my question to the first part, as it is my immediate problem. > > Are conversations the principal way of achieving (i) - namely, getting > two sides of an interaction to be dissected, as opposed to one specified > by a single port number? Yes, see above... > Is there any special coding of the conversation logic required in order > to get this effect? For example, in a JGroups capture session, there may > be several addr1/port1 addr2/port2 combinations which are interacting, > and i'd like each side of these exchanges to be dissected. Do I just > need to try and find a conversation for each packet I encounter, and if > it doesn't belong to one, then create one? All conversations have "addr1/port1 addr2/port2 framenumber" to identify the session. The frame number is used when there are two or more conversations that use the same "addr1/port1 addr2/port2" combination. Of course these two conversations should not be overlapping. Hope this helps, Cheers, Sake _______________________________________________ Wireshark-dev mailing list Wireshark-dev@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-dev _______________________________________________ Wireshark-dev mailing list Wireshark-dev@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-dev
- Follow-Ups:
- Re: [Wireshark-dev] A question related to conversations
- From: Guy Harris
- Re: [Wireshark-dev] A question related to conversations
- References:
- Re: [Wireshark-dev] A question related to conversations
- From: Richard Achmatowicz
- Re: [Wireshark-dev] A question related to conversations
- Prev by Date: Re: [Wireshark-dev] Problem seeing my USB NIC card
- Next by Date: [Wireshark-dev] To know about the wireshark
- Previous by thread: Re: [Wireshark-dev] A question related to conversations
- Next by thread: Re: [Wireshark-dev] A question related to conversations
- Index(es):