Wireshark-dev: Re: [Wireshark-dev] Reassembling splitted PPP packets
From: philippe alarcon <philippe.alarcon@xxxxxxx>
Date: Fri, 6 Mar 2009 16:16:56 +0100
Hello, As far as I have seen in WireShark sources, it is able to dissect PPP packets, and a PPP dissector is embedded. Nevertheless the example of packet will help to understand how it is managed by WireShark. Regards Philippe Date: Fri, 6 Mar 2009 05:51:49 -0800 From: hanschris.glueck@xxxxxxxx To: wireshark-dev@xxxxxxxxxxxxx Subject: Re: [Wireshark-dev] Reassembling splitted PPP packets Hello,
you are right, every PPP header has a length of 7 byte and I have one byte which indicates the total length of my PPP header.
Header_Size (size of all PPP header, a multiple of 7)
Msg_ID (2byte)
Freq_ID (2byte)
Start_Pos (1byte)
End_Pos (1byte)
Flag (1byte)
... (more PPP header)
MUX_Packet (begin of multiplexer packet)
and you are right - once again :). There is a mistake in tmpOffset - it should be reset to 7
tmpOffset = i * tmpOffset+1;
for i = 1, tmpOffset = 7+1 = 8 -> tmpOffset = 8;
for i = 2, tmpOffset = 2 x 7 + 1 = 15 -> tmpOffset = 7; for i = 3, tmpOffset = 3 x 7 + 1 = 22 -> tmpOffset = 7; Concerning PPP dissection: Do I have to call a special dissector or will wireshark do it?
I´ll send you an example of a packet on monday - today I´m not in the office...
Thanks
Chris
Von: philippe alarcon <philippe.alarcon@xxxxxxxx>
An: wireshark-dev <wireshark-dev@xxxxxxxxxxxxx> Gesendet: Donnerstag, den 5. März 2009, 14:51:51 Uhr Betreff: Re: [Wireshark-dev] Reassembling splitted PPP packets Hello Chris, Could you send us an example of stored packets within a pcap file ? Then regarding your code, I think there could be a problem how your header offset is managed (tmpOffset variable). I have understood that the packet begins with several headers, each header has a length of 7 octets. tmpOffset is updated after each extracted field, and for one header, tmpOffset = tmpOffset + 7. Correct ? Then when beginning the following loop, tmpOffset is updated as the following : tmpOffset = i * tmpOffset+1; for i = 0, tmpOffset = 0 for i = 1, tmpOffset = 7+1 = 8 for i = 2, tmpOffset = 2 x (8 + 7 + 1) = 32 for i = 3, tmpOffset = 2 x (32 + 7 + 1) = 80 Regards Philippe > Date: Thu, 5 Mar 2009 05:02:45 -0800 > From: hanschris.glueck@xxxxxxxx > To: wireshark-dev@xxxxxxxxxxxxx > Subject: [Wireshark-dev] Reassembling splitted PPP packets > > > Hej, > > I´ve written a dissector for a multiplexer-protocol. The payload of these multiplexer packets could be PPP packets, most of these packets will be splitted to several mux packets. > I´ve tried to reassemble these PPP packets (reading that article 9.4.1. How to reassemble split UDP packets), but it doesn´t work... > To get the necessary data I´ve added a new header to my multiplexer packet so I have the information about the fragments. > > What am I doing wrong? > > //Check if there is a PPP packet inside > if (sizeMuxPPPHeader > 0){ > guint16 tmpOffset = 1; > guint16 tmpOffsetBegin = 1; > guint16 tmpOffsetEnd = 1; > > //There could be more than one PPP packet in the multiplexer packet > for (i = 0; i < sizeMuxPPPHeader/7; i++){ > > tvbuff_t* new_tvb = NULL; > fragment_data *frag_msg = NULL; > guint16 msg_seqid; //ID of the message > guint16 msg_num; //Sequence number > > guint8 msg_start; //Start position of PPP packet > guint8 msg_end; //End of PPP packet > guint8 msg_flag; //Flag of packet > > tmpOffset = i * tmpOffset+1; > > //Get the necessary data > msg_seqid = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2; > msg_num = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2; > msg_start = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1; > msg_end = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1; > msg_flag = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1; > > //Calculate the offset > tmpOffsetBegin = sizeMuxPPPHeader + 1 + msg_start; > tmpOffsetEnd = sizeMuxPPPHeader + 1 + msg_end; > > pinfo->fragmented = TRUE; > frag_msg = fragment_add_seq_check(tvb, tmpOffsetBegin, pinfo, > msg_seqid, /* ID for fragments belonging together */ > msg_fragment_table, /* list of message fragments */ > msg_reassembled_table, /* list of reassembled messages */ > msg_num, /* fragment sequence number */ > tmpOffsetEnd, /* fragment length - to the end */ > msg_flag); /* More fragments? */ > > > new_tvb = process_reassembled_data(tvb, tmpOffsetBegin, pinfo, > "Reassembled Message", frag_msg, &msg_frag_items, > NULL, mux27010_tree); > > if (frag_msg) { /* Reassembled */ > if (check_col(pinfo->cinfo, COL_INFO)) > col_append_str(pinfo->cinfo, COL_INFO, > " (Message Reassembled)"); > } else { /* Not last packet of reassembled Short Message */ > if (check_col(pinfo->cinfo, COL_INFO)) > col_append_fstr(pinfo->cinfo, COL_INFO, > " (Message fragment %u)", msg_num); > } > if (new_tvb) { /* take it all */ > next_tvb = new_tvb; > } else { /* make a new subset */ > next_tvb = tvb_new_subset(tvb, tmpOffsetBegin, -1, -1); > } > > Regards, Chris > > > > > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre mobile ! Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre mobile ! |
- References:
- [Wireshark-dev] Reassembling splitted PPP packets
- From: Hans Glück
- Re: [Wireshark-dev] Reassembling splitted PPP packets
- From: philippe alarcon
- Re: [Wireshark-dev] Reassembling splitted PPP packets
- From: Hans Glück
- [Wireshark-dev] Reassembling splitted PPP packets
- Prev by Date: [Wireshark-dev] packet_memcache.c doesn't compile with VC6
- Next by Date: Re: [Wireshark-dev] packet_memcache.c doesn't compile with VC6
- Previous by thread: Re: [Wireshark-dev] Reassembling splitted PPP packets
- Next by thread: Re: [Wireshark-dev] Reassembling splitted PPP packets
- Index(es):