Wireshark · Wireshark-dev: Re: [Wireshark-dev] behavior of tcp_dissect_pdus when protocol pdu is across tcp segments

Wireshark-dev: Re: [Wireshark-dev] behavior of tcp_dissect_pdus when protocol pdu is across tcp

From: Sudarshan Raghavan <sudarshan.t.raghavan@xxxxxxxxx>

Date: Tue, 25 Aug 2009 17:25:16 +0530

Thanks for the responses. My initial analysis was wrong. The problem
was due to 'lost TCP segments'. These are segments that wireshark
failed to capture and I can see an ack for these packets from the
client and I don't see retransmissions either. Due to this the
dissection of RTMP fails badly.  RTMP is a very context sensitive
protocol. Missing any one chunk offset will have a cascading effect
from thereon.

I am currently trying with 'TCP analyze sequence numbers' disabled. A
quick search on google also seems to suggest this might not help a
lot. I found this mail from the archives
http://ethereal.netmirror.org/lists/wireshark-users/200806/msg00025.html
. Does anyone know of any way to workaround this problem?

Thanks,
Sudarshan

On Tue, Aug 25, 2009 at 6:07 AM, Guy Harris<guy@xxxxxxxxxxxx> wrote:
>
> On Aug 24, 2009, at 11:02 AM, Sudarshan Raghavan wrote:
>
>> How do I make tcp_dissect_pdus work correctly with chunks across TCP
>> segments.
>
> Is it not working correctly now?  I've seen it work correctly for
> other protocols, even with multiple messages within one TCP segment,
> messages split across TCP segments, and messages split across TCP
> segments with the last TCP segment having the end of one message
> followed by other messages or the beginning of another message.
>
> Note that "working correctly" does not mean "calling your dissector
> with a non-zero offset", it means "calling your chunk dissector with a
> completely reassembled RTMP chunk, even if the chunk is split across
> TCP segment boundaries or if there are parts of more than one RTMP
> chunk (or complete RTMP chunks) in a TCP segment".
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>

References:
- [Wireshark-dev] behavior of tcp_dissect_pdus when protocol pdu is across tcp segments
  - From: Sudarshan Raghavan
- Re: [Wireshark-dev] behavior of tcp_dissect_pdus when protocol pdu is across tcp segments
  - From: Guy Harris

Prev by Date: [Wireshark-dev] FW: [Wireshark-commits] rev 29523:/trunk/ /trunk/epan/dissectors/: packet-tcp.c /trunk/epan/:column-utils.c column-utils.h column.c column_info.h prefs.c/trunk/gtk/: new_packet_list.c
Next by Date: Re: [Wireshark-dev] behavior of tcp_dissect_pdus when protocol pdu is across tcp segments
Previous by thread: Re: [Wireshark-dev] behavior of tcp_dissect_pdus when protocol pdu is across tcp segments
Next by thread: Re: [Wireshark-dev] behavior of tcp_dissect_pdus when protocol pdu is across tcp segments
Index(es):
- Date
- Thread