Wireshark-dev: [Wireshark-dev] Defragmenting non-tcp streams
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: paul@xxxxxxxxxxxxxx
Date: Thu, 7 Jan 2010 04:48:48 -0500
TCP has a tcp_dissect_pdus() function that higher protocols can use
to  eliminate their dependency on the TCP framing. Is there anything
generic for other layers? I'm writing a USB dissector which is really
a serial protocol being transported over USB. Most of the time
there is only one packet within the USB frame, but that is just due
to luck with the timing of the transfers. When I do larger transfers
I end up with multiple packets within a single USB frame.

Simplistically, I tried just recursively calling the dissector
if there are any more packets after the one I've dissected, which
works unless the packets I'm dissecting also need to be defragmented
within the protocol I'm working on. In that case I get
"Message fragment overlap: True" messages with each fragment in
the frame pointing to the same payload offset in the defragmented
frame.

e.g.
Frame 249: 102 bytes on wire (816 bits), 102 bytes captured (816 bits)
USB URB
ANT
    SYNC: 0xa4
    Message length: 0x09
    Message ID: Burst data (0x50)
    Data: 40FFFFFFFFFFFFFFFF
        0... .... = Last burst: False
        .10. .... = Sequence#: 2
        ...0 0000 = Chan: 0
        Reassembled in: 4069
        Data: FFFFFFFFFFFFFFFF
    Checksum: 0xbd
ANT
    SYNC: 0xa4
    Message length: 0x09
    Message ID: Burst data (0x50)
    Data: 602BFFFFFFFFFFFFFF
        0... .... = Last burst: False
        .11. .... = Sequence#: 3
        ...0 0000 = Chan: 0
        Reassembled in: 4069
        Data: 2BFFFFFFFFFFFFFF
    Checksum: 0x49
ANT
    SYNC: 0xa4
    Message length: 0x09
    Message ID: Burst data (0x50)
    Data: 20FFFFFFFFFFFFFFFF
        0... .... = Last burst: False
        .01. .... = Sequence#: 1
        ...0 0000 = Chan: 0
        Reassembled in: 4069
        Data: FFFFFFFFFFFFFFFF
    Checksum: 0xdd
...

Frame 4069: 37 bytes on wire (296 bits), 37 bytes captured (296 bits)
USB URB
ANT
    SYNC: 0xa4
    Message length: 0x09
    Message ID: Burst data (0x50)
    Data: E04312559ED4019FDF
        1... .... = Last burst: True
        .11. .... = Sequence#: 3
        ...0 0000 = Chan: 0
        [Message fragments (32096 bytes): #58(8), #59(8), #60(8), #61(8), #62(8), #63(8), #64(8), #65(8), #66(8), #67(8), #68(8), #69(8), #70(8), #71(8), #72(8), #73(8), #74(8), #75(8), #76(8), #77(8), #78(8), #79(8), #80(8), #81(8), #82(8), #83(8)]
...
            [Frame: 248, payload: 1520-1527 (8 bytes)]
            [Frame: 249, payload: 1528-1535 (8 bytes)]
            [Frame: 249, payload: 1528-1535 (8 bytes)]
                [Message fragment overlap: True]
            [Frame: 249, payload: 1528-1535 (8 bytes)]
                [Message fragment overlap: True]
            [Frame: 249, payload: 1528-1535 (8 bytes)]
                [Message fragment overlap: True]
            [Frame: 249, payload: 1528-1535 (8 bytes)]
                [Message fragment overlap: True]
            [Frame: 249, payload: 1528-1535 (8 bytes)]
                [Message fragment overlap: True]
            [Frame: 250, payload: 1536-1543 (8 bytes)]
...

Anyone help me help me out here?

Thanks,

Paul