Wireshark-dev: Re: [Wireshark-dev] Reassembling splitted PPP packets
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: philippe alarcon <philippe.alarcon@xxxxxxx>
Date: Mon, 9 Mar 2009 22:50:13 +0100
Hello,

I have had a look at your pcap example.
The beginning of the first packet is :
07 00 01 00 00 06 F9 01 00 F9 07 A8 E8 01 7E 21
Then for this packet, according to your code :
msg_seqid = 0x700
msg_num   = 0x100
msg_start = 0
msg_end   = 0x06
msg_flag  = 0xF9
Something is wrong :
the length (difference between end and start) is not equal nor near the packet length.
Then I have checked the second packet.
It is the same.

When I compare both packets, I have observed the following structure :

Description | Length | Value
Header      | 1 byte |  07
Message ID  | 2 bytes| 0001
Fragment Num| 2 bytes| 0000
Data start  | 1 byte |  06
Data length | 1 byte |  F9
Packet flag | 1 byte |  01 = fragment
Unused      | 1 byte |  00
Data limiter| 1 byte |  F9
Data        | x bytes|  07 A8 E8 01 ... B9 (F9 bytes)
Data limiter| 1 byte |  F9
If I apply this structure to the second packet, I obtain :
Description | Length | Value
Header      | 1 byte |  07
Message ID  | 2 bytes| 0001
Fragment Num| 2 bytes| 0001
Data start  | 1 byte |  06
Data length | 1 byte |  CA
Packet flag | 1 byte |  00 = last fragment
Unused      | 1 byte |  00
Data limiter| 1 byte |  F9
Data        | x bytes|  07 AA 8A 01 ... 7C (CA bytes)
Data limiter| 1 byte |  F9
If this is correct, it implies :
- there is only one header per packet,
- the length of the header for one packet is 9 bytes.
This could explain that you do not point to the correct information,
and in particular to packet flag information.
Then fragment_add_seq_check() function has never the information
that it is the last packet.
And then process_reassembled_data() never manages to reassemble
the whole message.

I hope this will help you.

Regards
Philippe







Date: Mon, 9 Mar 2009 07:01:01 -0700
From: hanschris.glueck@xxxxxxxx
To: wireshark-dev@xxxxxxxxxxxxx
Subject: Re: [Wireshark-dev] Reassembling splitted PPP packets

Hi,

ok, here is my code, a pcap example with 4 packets inside (2 are a splitted PPP packet, and 2 are ACKs) and a little picture of the first splittet packet. I hope it is understanable :)

I´m not sure where I have to call the ppp dissector, I tried it in
     if (new_tvb) { /* take it all */
            //this became never true!
            next_tvb = new_tvb;
            call_dissector( ppp_handle, next_tvb, pinfo, tree );

But this clause became never true...



/*We have at least one PPP packet*/
if (sizeMuxPPPHeader > 0){
    guint16 tmpOffset = 1;
    guint16 tmpOffsetBegin = 1;
    guint16 tmpOffsetEnd = 1;
   
    tvbuff_t* new_tvb = NULL;
    fragment_data *frag_msg = NULL;
    guint16 msg_seqid;//ID of the message
    guint16 msg_num;//Sequence number
    
    guint8 msg_start;//Start position of PPP packet
    guint8 msg_end;//End of PPP packet
    guint8 msg_flag;//Flag of packet


    //There could be more than one PPP packet in the multiplexer packet
    for (i = 0; i < sizeMuxPPPHeader/7; i++){

        tmpOffset = 7;
        tmpOffset = i * tmpOffset+1;

        //Get the necessary data
        msg_seqid = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
        msg_num = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
        msg_start = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
        msg_end = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
        msg_flag = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
       
        //Calculate the offset
        tmpOffsetBegin = sizeMuxPPPHeader + 1 + msg_start; //+ Header_Size, + Direction
        tmpOffsetEnd = sizeMuxPPPHeader + 1 + msg_end;
        
        pinfo->fragmented = TRUE;
        frag_msg = fragment_add_seq_check(tvb, tmpOffsetBegin, pinfo,
            msg_seqid, /* ID for fragments belonging together */
            msg_fragment_table, /* list of message fragments */
            msg_reassembled_table, /* list of reassembled messages */
            msg_num, /* fragment sequence number */
            tmpOffsetEnd, /* fragment length - to the end */
            msg_flag); /* More fragments? */
            
            
        new_tvb = process_reassembled_data(tvb, tmpOffsetBegin, pinfo,
            "Reassembled Message", frag_msg, &msg_frag_items,
            NULL, mux27010_tree);

        if (frag_msg) { /* Reassembled */
            // call_dissector( ppp_handle, new_tvb, pinfo, tree ); -> Trying to call PPP dissector => Error (new_tvb=null)
            if (check_col(pinfo->cinfo, COL_INFO)) col_append_str(pinfo->cinfo, COL_INFO," (Reassembled)");
            
        } else { /* Not last packet of reassembled Short Message */
            if (check_col(pinfo->cinfo, COL_INFO)) col_append_fstr(pinfo->cinfo, COL_INFO," (Message fragment %u)", msg_num);

        }

        if (new_tvb) { /* take it all */
            //this became never true!
            next_tvb = new_tvb;
            call_dissector( ppp_handle, next_tvb, pinfo, tree );
        } else { /* make a new subset */
            // next_tvb = tvb_new_subset(tvb, tmpOffsetBegin + 1, length_info-1, length_info-1);
            // call_dissector( ppp_handle, next_tvb, pinfo, tree );
        }                    
    }            
}


Thanks,

Chris

Von: philippe alarcon <philippe.alarcon@xxxxxxx>
An: wireshark-dev <wireshark-dev@xxxxxxxxxxxxx>
Gesendet: Freitag, den 6. März 2009, 16:16:56 Uhr
Betreff: Re: [Wireshark-dev] Reassembling splitted PPP packets

Hello,

As far as I have seen in WireShark sources, it is able to dissect PPP packets,
and a PPP dissector is embedded.
Nevertheless the example of packet will help to understand
how it is managed by WireShark.

Regards
Philippe



Date: Fri, 6 Mar 2009 05:51:49 -0800
From: hanschris.glueck@xxxxxxxx
To: wireshark-dev@xxxxxxxxxxxxx
Subject: Re: [Wireshark-dev] Reassembling splitted PPP packets

Hello,
 
you are right, every PPP header has a length of 7 byte and I have one byte which indicates the total length of my PPP header.
Header_Size (size of all PPP header, a multiple of 7)
Msg_ID (2byte)
Freq_ID (2byte)
Start_Pos (1byte)
End_Pos (1byte)
Flag (1byte)
 ... (more PPP header)
MUX_Packet (begin of multiplexer packet)
 
and you are right - once again :). There is a mistake in tmpOffset - it should be reset to 7
tmpOffset = i * tmpOffset+1;
for i = 1, tmpOffset = 7+1 = 8
-> tmpOffset = 8;

for i = 2, tmpOffset = 2 x 7 + 1 = 15
-> tmpOffset = 7;

for i = 3, tmpOffset = 3 x 7 + 1 = 22
-> tmpOffset = 7;
 
Concerning PPP dissection: Do I have to call a special dissector or will wireshark do it?
 
I´ll send you an example of a packet on monday - today I´m not in the office...
 
Thanks
Chris
Von: philippe alarcon <philippe.alarcon@xxxxxxxx>
An: wireshark-dev <wireshark-dev@xxxxxxxxxxxxx>
Gesendet: Donnerstag, den 5. März 2009, 14:51:51 Uhr
Betreff: Re: [Wireshark-dev] Reassembling splitted PPP packets

Hello Chris,

Could you send us an example of stored packets within a pcap file ?

Then regarding your code, I think there could be a problem how
your header offset is managed (tmpOffset variable).

I have understood that the packet begins with several headers,
each header has a length of 7 octets.

tmpOffset is updated after each extracted field,
and for one header, tmpOffset = tmpOffset + 7.
Correct ?

Then when beginning the following loop, tmpOffset is updated as the following :
tmpOffset = i * tmpOffset+1;
for i = 0, tmpOffset = 0
for i = 1, tmpOffset = 7+1 = 8
for i = 2, tmpOffset = 2 x (8 + 7 + 1) = 32
for i = 3, tmpOffset = 2 x (32 + 7 + 1) = 80


Regards
Philippe

> Date: Thu, 5 Mar 2009 05:02:45 -0800
> From: hanschris.glueck@xxxxxxxx
> To: wireshark-dev@xxxxxxxxxxxxx
> Subject: [Wireshark-dev] Reassembling splitted PPP packets
>
>
> Hej,
>
> I´ve written a dissector for a multiplexer-protocol. The payload of these multiplexer packets could be PPP packets, most of these packets will be splitted to several mux packets.
> I´ve tried to reassemble these PPP packets (reading that article 9.4.1. How to reassemble split UDP packets), but it doesn´t work....
> To get the necessary data I´ve added a new header to my multiplexer packet so I have the information about the fragments.
>
> What am I doing wrong?
>
> //Check if there is a PPP packet inside
> if (sizeMuxPPPHeader > 0){
> guint16 tmpOffset = 1;
> guint16 tmpOffsetBegin = 1;
> guint16 tmpOffsetEnd = 1;
>
> //There could be more than one PPP packet in the multiplexer packet
> for (i = 0; i < sizeMuxPPPHeader/7; i++){
>
> tvbuff_t* new_tvb = NULL;
> fragment_data *frag_msg = NULL;
> guint16 msg_seqid; //ID of the message
> guint16 msg_num; //Sequence number
>
> guint8 msg_start; //Start position of PPP packet
> guint8 msg_end; //End of PPP packet
> guint8 msg_flag; //Flag of packet
>
> tmpOffset = i * tmpOffset+1;
>
> //Get the necessary data
> msg_seqid = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
> msg_num = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
> msg_start = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
> msg_end = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
> msg_flag = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
>
> //Calculate the offset
> tmpOffsetBegin = sizeMuxPPPHeader + 1 + msg_start;
> tmpOffsetEnd = sizeMuxPPPHeader + 1 + msg_end;
>
> pinfo->fragmented = TRUE;
> frag_msg = fragment_add_seq_check(tvb, tmpOffsetBegin, pinfo,
> msg_seqid, /* ID for fragments belonging together */
> msg_fragment_table, /* list of message fragments */
> msg_reassembled_table, /* list of reassembled messages */
> msg_num, /* fragment sequence number */
> tmpOffsetEnd, /* fragment length - to the end */
> msg_flag); /* More fragments? */
>
>
> new_tvb = process_reassembled_data(tvb, tmpOffsetBegin, pinfo,
> "Reassembled Message", frag_msg, &msg_frag_items,
> NULL, mux27010_tree);
>
> if (frag_msg) { /* Reassembled */
> if (check_col(pinfo->cinfo, COL_INFO))
> col_append_str(pinfo->cinfo, COL_INFO,
> " (Message Reassembled)");
> } else { /* Not last packet of reassembled Short Message */
> if (check_col(pinfo->cinfo, COL_INFO))
> col_append_fstr(pinfo->cinfo, COL_INFO,
> " (Message fragment %u)", msg_num);
> }
> if (new_tvb) { /* take it all */
> next_tvb = new_tvb;
> } else { /* make a new subset */
> next_tvb = tvb_new_subset(tvb, tmpOffsetBegin, -1, -1);
> }
>
> Regards, Chris
>
>
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre mobile !


Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre mobile !


Souhaitez vous  « être au bureau sans y être » ? Oui je le veux !