Wireshark · Wireshark-dev: [Wireshark-dev] TCP reassembly and Return value of a new-style dissector

Wireshark-dev: [Wireshark-dev] TCP reassembly and Return value of a new-style dissector

From: Anders Broman <a.broman@xxxxxxxxxxxx>

Date: Tue, 09 Dec 2014 21:01:37 +0100

Hi,

I have recently come across some problems with reassembly of SIPmessages over TCP one problem seems to be related to when a segmentcontains one full PDU and a segment of the next following PDU in thiscase the first SIP line of the following PDU is not complete.

I think the ultimate solution would be for the TCP dissector to call theSIP dissector again with the next incomplete PDUafter receiving the number of bytes "accepted" by the SIP dissector e.gusing the "new-style dissector interface.

also see http://seclists.org/wireshark/2014/Jun/289

As I read the code the first step would be to have
call_dissector()                                                [OK]
try_conversation_dissector()
dissector_try_heuristic()
dissector_try_uint_new                                 [OK]

Return the number of bytes consumed, 0 or -1(need more data) not sureabout DESEGMENT_UNTIL_FIN (-2?).

If people agree the biggest change is to changedissector_try_heuristic() to return an int.

What do you think?

Regards
Anders

Follow-Ups:
- Re: [Wireshark-dev] TCP reassembly and Return value of a new-style dissector
  - From: Peter Wu

Prev by Date: Re: [Wireshark-dev] Qt not found
Next by Date: Re: [Wireshark-dev] Doubt regarding absolute time in wireshark
Previous by thread: Re: [Wireshark-dev] Qt not found
Next by thread: Re: [Wireshark-dev] TCP reassembly and Return value of a new-style dissector
Index(es):
- Date
- Thread