Wireshark-dev: Re: [Wireshark-dev] Reassembling splitted PPP packets
From: Hans Glück <hanschris.glueck@xxxxxxxx>
Date: Mon, 9 Mar 2009 07:01:01 -0700 (PDT)
Hi,
ok, here is my code, a pcap example with 4 packets inside (2 are a splitted PPP packet, and 2 are ACKs) and a little picture of the first splittet packet. I hope it is understanable :)
I´m not sure where I have to call the ppp dissector, I tried it in
if (new_tvb) { /* take it all */
//this became never true!
next_tvb = new_tvb;
call_dissector( ppp_handle, next_tvb, pinfo, tree );
But this clause became never true...
/*We have at least one PPP packet*/
if (sizeMuxPPPHeader > 0){
guint16 tmpOffset = 1;
guint16 tmpOffsetBegin = 1;
guint16 tmpOffsetEnd = 1;
tvbuff_t* new_tvb = NULL;
fragment_data *frag_msg = NULL;
guint16 msg_seqid;//ID of the message
guint16 msg_num;//Sequence number
guint8 msg_start;//Start position of PPP packet
guint8 msg_end;//End of PPP packet
guint8 msg_flag;//Flag of packet
//There could be more than one PPP packet in the multiplexer packet
for (i = 0; i < sizeMuxPPPHeader/7; i++){
tmpOffset = 7;
tmpOffset = i * tmpOffset+1;
//Get the necessary data
msg_seqid = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
msg_num = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
msg_start = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
msg_end = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
msg_flag = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
//Calculate the offset
tmpOffsetBegin = sizeMuxPPPHeader + 1 + msg_start; //+ Header_Size, + Direction
tmpOffsetEnd = sizeMuxPPPHeader + 1 + msg_end;
pinfo->fragmented = TRUE;
frag_msg = fragment_add_seq_check(tvb, tmpOffsetBegin, pinfo,
msg_seqid, /* ID for fragments belonging together */
msg_fragment_table, /* list of message fragments */
msg_reassembled_table, /* list of reassembled messages */
msg_num, /* fragment sequence number */
tmpOffsetEnd, /* fragment length - to the end */
msg_flag); /* More fragments? */
new_tvb = process_reassembled_data(tvb, tmpOffsetBegin, pinfo,
"Reassembled Message", frag_msg, &msg_frag_items,
NULL, mux27010_tree);
if (frag_msg) { /* Reassembled */
// call_dissector( ppp_handle, new_tvb, pinfo, tree ); -> Trying to call PPP dissector => Error (new_tvb=null)
if (check_col(pinfo->cinfo, COL_INFO)) col_append_str(pinfo->cinfo, COL_INFO," (Reassembled)");
} else { /* Not last packet of reassembled Short Message */
if (check_col(pinfo->cinfo, COL_INFO)) col_append_fstr(pinfo->cinfo, COL_INFO," (Message fragment %u)", msg_num);
}
if (new_tvb) { /* take it all */
//this became never true!
next_tvb = new_tvb;
call_dissector( ppp_handle, next_tvb, pinfo, tree );
} else { /* make a new subset */
// next_tvb = tvb_new_subset(tvb, tmpOffsetBegin + 1, length_info-1, length_info-1);
// call_dissector( ppp_handle, next_tvb, pinfo, tree );
}
}
}
ok, here is my code, a pcap example with 4 packets inside (2 are a splitted PPP packet, and 2 are ACKs) and a little picture of the first splittet packet. I hope it is understanable :)
I´m not sure where I have to call the ppp dissector, I tried it in
if (new_tvb) { /* take it all */
//this became never true!
next_tvb = new_tvb;
call_dissector( ppp_handle, next_tvb, pinfo, tree );
But this clause became never true...
/*We have at least one PPP packet*/
if (sizeMuxPPPHeader > 0){
guint16 tmpOffset = 1;
guint16 tmpOffsetBegin = 1;
guint16 tmpOffsetEnd = 1;
tvbuff_t* new_tvb = NULL;
fragment_data *frag_msg = NULL;
guint16 msg_seqid;//ID of the message
guint16 msg_num;//Sequence number
guint8 msg_start;//Start position of PPP packet
guint8 msg_end;//End of PPP packet
guint8 msg_flag;//Flag of packet
//There could be more than one PPP packet in the multiplexer packet
for (i = 0; i < sizeMuxPPPHeader/7; i++){
tmpOffset = 7;
tmpOffset = i * tmpOffset+1;
//Get the necessary data
msg_seqid = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
msg_num = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
msg_start = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
msg_end = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
msg_flag = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
//Calculate the offset
tmpOffsetBegin = sizeMuxPPPHeader + 1 + msg_start; //+ Header_Size, + Direction
tmpOffsetEnd = sizeMuxPPPHeader + 1 + msg_end;
pinfo->fragmented = TRUE;
frag_msg = fragment_add_seq_check(tvb, tmpOffsetBegin, pinfo,
msg_seqid, /* ID for fragments belonging together */
msg_fragment_table, /* list of message fragments */
msg_reassembled_table, /* list of reassembled messages */
msg_num, /* fragment sequence number */
tmpOffsetEnd, /* fragment length - to the end */
msg_flag); /* More fragments? */
new_tvb = process_reassembled_data(tvb, tmpOffsetBegin, pinfo,
"Reassembled Message", frag_msg, &msg_frag_items,
NULL, mux27010_tree);
if (frag_msg) { /* Reassembled */
// call_dissector( ppp_handle, new_tvb, pinfo, tree ); -> Trying to call PPP dissector => Error (new_tvb=null)
if (check_col(pinfo->cinfo, COL_INFO)) col_append_str(pinfo->cinfo, COL_INFO," (Reassembled)");
} else { /* Not last packet of reassembled Short Message */
if (check_col(pinfo->cinfo, COL_INFO)) col_append_fstr(pinfo->cinfo, COL_INFO," (Message fragment %u)", msg_num);
}
if (new_tvb) { /* take it all */
//this became never true!
next_tvb = new_tvb;
call_dissector( ppp_handle, next_tvb, pinfo, tree );
} else { /* make a new subset */
// next_tvb = tvb_new_subset(tvb, tmpOffsetBegin + 1, length_info-1, length_info-1);
// call_dissector( ppp_handle, next_tvb, pinfo, tree );
}
}
}
Thanks,
Chris
Von: philippe alarcon <philippe.alarcon@xxxxxxx>
An: wireshark-dev <wireshark-dev@xxxxxxxxxxxxx>
Gesendet: Freitag, den 6. März 2009, 16:16:56 Uhr
Betreff: Re: [Wireshark-dev] Reassembling splitted PPP packets
Hello,
As far as I have seen in WireShark sources, it is able to dissect PPP packets,
and a PPP dissector is embedded.
Nevertheless the example of packet will help to understand
how it is managed by WireShark.
Regards
Philippe
Date: Fri, 6 Mar 2009 05:51:49 -0800
From: hanschris.glueck@xxxxxxxx
To: wireshark-dev@xxxxxxxxxxxxx
Subject: Re: [Wireshark-dev] Reassembling splitted PPP packets
Hello,
you are right, every PPP header has a length of 7 byte and I have one byte which indicates the total length of my PPP header.
Header_Size (size of all PPP header, a multiple of 7)
Msg_ID (2byte)
Freq_ID (2byte)
Start_Pos (1byte)
End_Pos (1byte)
Flag (1byte)
... (more PPP header)
MUX_Packet (begin of multiplexer packet)
and you are right - once again :). There is a mistake in tmpOffset - it should be reset to 7
tmpOffset = i * tmpOffset+1;
for i = 1, tmpOffset = 7+1 = 8
for i = 2, tmpOffset = 2 x 7 + 1 = 15
for i = 3, tmpOffset = 3 x 7 + 1 = 22
for i = 1, tmpOffset = 7+1 = 8
-> tmpOffset = 8;
for i = 2, tmpOffset = 2 x 7 + 1 = 15
-> tmpOffset = 7;
for i = 3, tmpOffset = 3 x 7 + 1 = 22
-> tmpOffset = 7;
Concerning PPP dissection: Do I have to call a special dissector or will wireshark do it?
I´ll send you an example of a packet on monday - today I´m not in the office...
Thanks
Chris
Von: philippe alarcon <philippe.alarcon@xxxxxxxx>
An: wireshark-dev <wireshark-dev@xxxxxxxxxxxxx>
Gesendet: Donnerstag, den 5. März 2009, 14:51:51 Uhr
Betreff: Re: [Wireshark-dev] Reassembling splitted PPP packets
Hello Chris,
Could you send us an example of stored packets within a pcap file ?
Then regarding your code, I think there could be a problem how
your header offset is managed (tmpOffset variable).
I have understood that the packet begins with several headers,
each header has a length of 7 octets.
tmpOffset is updated after each extracted field,
and for one header, tmpOffset = tmpOffset + 7.
Correct ?
Then when beginning the following loop, tmpOffset is updated as the following :
Regards
Philippe
> Date: Thu, 5 Mar 2009 05:02:45 -0800
> From: hanschris.glueck@xxxxxxxx
> To: wireshark-dev@xxxxxxxxxxxxx
> Subject: [Wireshark-dev] Reassembling splitted PPP packets
>
>
> Hej,
>
> I´ve written a dissector for a multiplexer-protocol. The payload of these multiplexer packets could be PPP packets, most of these packets will be splitted to several mux packets.
> I´ve tried to reassemble these PPP packets (reading that article 9.4.1. How to reassemble split UDP packets), but it doesn´t work....
> To get the necessary data I´ve added a new header to my multiplexer packet so I have the information about the fragments.
>
> What am I doing wrong?
>
> //Check if there is a PPP packet inside
> if (sizeMuxPPPHeader > 0){
> guint16 tmpOffset = 1;
> guint16 tmpOffsetBegin = 1;
> guint16 tmpOffsetEnd = 1;
>
> //There could be more than one PPP packet in the multiplexer packet
> for (i = 0; i < sizeMuxPPPHeader/7; i++){
>
> tvbuff_t* new_tvb = NULL;
> fragment_data *frag_msg = NULL;
> guint16 msg_seqid; //ID of the message
> guint16 msg_num; //Sequence number
>
> guint8 msg_start; //Start position of PPP packet
> guint8 msg_end; //End of PPP packet
> guint8 msg_flag; //Flag of packet
>
> tmpOffset = i * tmpOffset+1;
>
> //Get the necessary data
> msg_seqid = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
> msg_num = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
> msg_start = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
> msg_end = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
> msg_flag = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
>
> //Calculate the offset
> tmpOffsetBegin = sizeMuxPPPHeader + 1 + msg_start;
> tmpOffsetEnd = sizeMuxPPPHeader + 1 + msg_end;
>
> pinfo->fragmented = TRUE;
> frag_msg = fragment_add_seq_check(tvb, tmpOffsetBegin, pinfo,
> msg_seqid, /* ID for fragments belonging together */
> msg_fragment_table, /* list of message fragments */
> msg_reassembled_table, /* list of reassembled messages */
> msg_num, /* fragment sequence number */
> tmpOffsetEnd, /* fragment length - to the end */
> msg_flag); /* More fragments? */
>
>
> new_tvb = process_reassembled_data(tvb, tmpOffsetBegin, pinfo,
> "Reassembled Message", frag_msg, &msg_frag_items,
> NULL, mux27010_tree);
>
> if (frag_msg) { /* Reassembled */
> if (check_col(pinfo->cinfo, COL_INFO))
> col_append_str(pinfo->cinfo, COL_INFO,
> " (Message Reassembled)");
> } else { /* Not last packet of reassembled Short Message */
> if (check_col(pinfo->cinfo, COL_INFO))
> col_append_fstr(pinfo->cinfo, COL_INFO,
> " (Message fragment %u)", msg_num);
> }
> if (new_tvb) { /* take it all */
> next_tvb = new_tvb;
> } else { /* make a new subset */
> next_tvb = tvb_new_subset(tvb, tmpOffsetBegin, -1, -1);
> }
>
> Regards, Chris
>
>
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
An: wireshark-dev <wireshark-dev@xxxxxxxxxxxxx>
Gesendet: Donnerstag, den 5. März 2009, 14:51:51 Uhr
Betreff: Re: [Wireshark-dev] Reassembling splitted PPP packets
Hello Chris,
Could you send us an example of stored packets within a pcap file ?
Then regarding your code, I think there could be a problem how
your header offset is managed (tmpOffset variable).
I have understood that the packet begins with several headers,
each header has a length of 7 octets.
tmpOffset is updated after each extracted field,
and for one header, tmpOffset = tmpOffset + 7.
Correct ?
Then when beginning the following loop, tmpOffset is updated as the following :
tmpOffset = i * tmpOffset+1;
for i = 0, tmpOffset = 0
for i = 1, tmpOffset = 7+1 = 8
for i = 2, tmpOffset = 2 x (8 + 7 + 1) = 32
for i = 3, tmpOffset = 2 x (32 + 7 + 1) = 80
for i = 0, tmpOffset = 0
for i = 1, tmpOffset = 7+1 = 8
for i = 2, tmpOffset = 2 x (8 + 7 + 1) = 32
for i = 3, tmpOffset = 2 x (32 + 7 + 1) = 80
Regards
Philippe
> Date: Thu, 5 Mar 2009 05:02:45 -0800
> From: hanschris.glueck@xxxxxxxx
> To: wireshark-dev@xxxxxxxxxxxxx
> Subject: [Wireshark-dev] Reassembling splitted PPP packets
>
>
> Hej,
>
> I´ve written a dissector for a multiplexer-protocol. The payload of these multiplexer packets could be PPP packets, most of these packets will be splitted to several mux packets.
> I´ve tried to reassemble these PPP packets (reading that article 9.4.1. How to reassemble split UDP packets), but it doesn´t work....
> To get the necessary data I´ve added a new header to my multiplexer packet so I have the information about the fragments.
>
> What am I doing wrong?
>
> //Check if there is a PPP packet inside
> if (sizeMuxPPPHeader > 0){
> guint16 tmpOffset = 1;
> guint16 tmpOffsetBegin = 1;
> guint16 tmpOffsetEnd = 1;
>
> //There could be more than one PPP packet in the multiplexer packet
> for (i = 0; i < sizeMuxPPPHeader/7; i++){
>
> tvbuff_t* new_tvb = NULL;
> fragment_data *frag_msg = NULL;
> guint16 msg_seqid; //ID of the message
> guint16 msg_num; //Sequence number
>
> guint8 msg_start; //Start position of PPP packet
> guint8 msg_end; //End of PPP packet
> guint8 msg_flag; //Flag of packet
>
> tmpOffset = i * tmpOffset+1;
>
> //Get the necessary data
> msg_seqid = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
> msg_num = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
> msg_start = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
> msg_end = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
> msg_flag = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
>
> //Calculate the offset
> tmpOffsetBegin = sizeMuxPPPHeader + 1 + msg_start;
> tmpOffsetEnd = sizeMuxPPPHeader + 1 + msg_end;
>
> pinfo->fragmented = TRUE;
> frag_msg = fragment_add_seq_check(tvb, tmpOffsetBegin, pinfo,
> msg_seqid, /* ID for fragments belonging together */
> msg_fragment_table, /* list of message fragments */
> msg_reassembled_table, /* list of reassembled messages */
> msg_num, /* fragment sequence number */
> tmpOffsetEnd, /* fragment length - to the end */
> msg_flag); /* More fragments? */
>
>
> new_tvb = process_reassembled_data(tvb, tmpOffsetBegin, pinfo,
> "Reassembled Message", frag_msg, &msg_frag_items,
> NULL, mux27010_tree);
>
> if (frag_msg) { /* Reassembled */
> if (check_col(pinfo->cinfo, COL_INFO))
> col_append_str(pinfo->cinfo, COL_INFO,
> " (Message Reassembled)");
> } else { /* Not last packet of reassembled Short Message */
> if (check_col(pinfo->cinfo, COL_INFO))
> col_append_fstr(pinfo->cinfo, COL_INFO,
> " (Message fragment %u)", msg_num);
> }
> if (new_tvb) { /* take it all */
> next_tvb = new_tvb;
> } else { /* make a new subset */
> next_tvb = tvb_new_subset(tvb, tmpOffsetBegin, -1, -1);
> }
>
> Regards, Chris
>
>
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre mobile !
Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre mobile !
Attachment:
mux_packet_first_ppp_sequence.JPG
Description: JPEG image
Attachment:
reassembling.pcap
Description: Binary data
- Follow-Ups:
- Re: [Wireshark-dev] Reassembling splitted PPP packets
- From: philippe alarcon
- Re: [Wireshark-dev] Reassembling splitted PPP packets
- Prev by Date: Re: [Wireshark-dev] buildbot failure in Wireshark (development) on Windows-XP-x86
- Next by Date: [Wireshark-dev] buildbot failure in Wireshark (development) on Ubuntu-7.10-x86-64
- Previous by thread: Re: [Wireshark-dev] Reassembling splitted PPP packets
- Next by thread: Re: [Wireshark-dev] Reassembling splitted PPP packets
- Index(es):