Wireshark-dev: Re: [Wireshark-dev] TCP dissect issue when app-level message spans multiple TCP
All,
I used to have a very simple get_message_tcpmessage_len. But most of the TCP packets would then say [TCP segment of a reassembled PDU].
I eliminated everything again. This is my current get_message_tcpmessage_len:
guint get_message_tcpmessage_len(packet_info *pinfo, tvbuff_t *tvb, int offset)
{
guint remaining = tvb_length_remaining(tvb, offset);
guint last_size = tvb_get_letohl(tvb, offset)+MESSAGE_HEADER_SIZE;
if(last_size > remaining)
{
printf("not enough data: %d remaining: %d\n", last_size, remaining);
}
return last_size;
}
I get the following output in consecutive packets from host A to host B:
not enough data: 322 remaining: 144
not enough data: 445080968 remaining: 1448
There are no 445080968 byte messages being sent, ever. It is that the dissector called by tcp_dissect_pdus gets a partial message. Clearly, it is not buffering the packets correctly. I *could* hack it together but I thought this is part of what tcp_dissect_pdus was supposed to do.
BTW - I am using and compiling against 1.4.6.
Thank you for your responses,
Rafael
-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Chris Maynard
Sent: Thursday, May 05, 2011 10:00 AM
To: wireshark-dev@xxxxxxxxxxxxx
Subject: Re: [Wireshark-dev] TCP dissect issue when app-level message spans multiple TCP packets
Fernandez, Rafael <Rafael.Fernandez@...> writes:
> I am writing a dissector plugin and I am using tcp_dissect_pdus in order to
reassemble packets. However, I
> am experiencing issues when there are multiple application layer messages in
one packet and the last one
> is not complete. Specifically, I have 5 messages in one TCP packet. There are
5 calls to the get_pdu_len
> function and four calls to the dissect_pdu function. Since there is not enough
data in the current
> tvbuff_t, tcp_dissect_pdus returns. When dissect_message is called again, the
beginning of the
> message is lost. When get_pdu_len gets called again it reads a garbage size.
>
> Per https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.html,
I thought that
> tcp_dissect_pdus is supposed to handle this. I can't find example code in any
dissector in
> /epan/dissectors/* that handles this unlike I am. Am I missing something?
>
> This is part of my code:
>
> void dissect_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
> {
> if(pinfo->tcp_tree != NULL) {
> tcp_dissect_pdus(tvb, pinfo, tree, TRUE, MESSAGE_HEADER_SIZE,
> get_message_tcpmessage_len,
dissect_message_tcpmessage);
> }
> else {
> // For UDP just print the data for now.
> call_dissector(data_handle, tvb, pinfo, tree);
> }
> }
>
> guint get_message_tcpmessage_len(packet_info *pinfo, tvbuff_t *tvb, int offset)
> {
> if(tvb_length_remaining(tvb, offset) <= 8)
> return 0;
>
> gint32 size = tvb_get_letohl(tvb, offset)+MESSAGE_HEADER_SIZE;
> gint32 type = tvb_get_letohl(tvb, offset+4);
> printf("Len: %u type %d\n", size, type);
> if(strcmp(typeAsString(type), "Unknown") == 0)
> {
> return tvb_length_remaining(tvb, offset);
> }
> return size;
> }
I don't think your get_message_tcpmessage_len() function is coded correctly. It
looks like you're trying to do some heuristics in there when all you really
should be doing is returning the length of your PDU. In your case, it looks
like the length field is the 1st 4-bytes of the header, so I think you should
probably just be doing something like this:
if(pinfo->tcp_tree != NULL) {
tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 4, get_message_tcpmessage_len,
dissect_message_tcpmessage);
}
(NOTE: Here, you could use MESSAGE_HEADER_SIZE instead of 4, but you really only
need the 1st 4 bytes to determine the length of the entire PDU.)
guint get_message_tcpmessage_len(packet_info *pinfo, tvbuff_t *tvb, int offset)
{
return tvb_get_letohl(tvb, offset) + MESSAGE_HEADER_SIZE;
}
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
CONFIDENTIALITY AND SECURITY NOTICE
The contents of this message and any attachments may be confidential and proprietary and also may be covered by the Electronic Communications Privacy Act. This message is not intended to be used by, and should not be relied upon in any way, by any third party. If you are not an intended recipient, please inform the sender of the transmission error and delete this message immediately without reading, disseminating, distributing or copying the contents. Citadel makes no assurances that this e-mail and any attachments are free of viruses and other harmful code.