Wireshark · Wireshark-dev: Re: [Wireshark-dev] Packet reassemble - FTP-DATA Dissector - FTP - Export Object

[Pascal Quantin <pascal.quantin@xxxxxxxxx>]

2015-01-16 16:07 GMT+01:00 leonardocito@xxxxxxxxx <leonardocito@xxxxxxxxx>:

I already posted this question to Ask.Wireshark.org; as I have a very tight schedule and realise the mailing list is more appropriate, I am posting it here as well. Please advice me if I need to remove the other post.

I am implementing object export for the FTP protocol ( File-> Export Object -> FTP...).

I have got to the point of getting the list of files in the ExportObjectDialog window. However in such window I get an entry for each TCP packet used for the trasmission of each FTP packet. If save each entry and then join the resulting files in the correct order I get the file I am sopposed to. So I am on the right track but am not doing ftp packet reassembly correctly.

I have tried two approaches:

1. The one explainded in section 2.7.2 of README.dissector. You can find the code at pastebin.com/nkxDUhkv. In order to make reading easier, I have added left several blank lines before and after the reassemble section. I am preatty sure this is the way to go, if this is the case you can skip to the end of the question. However since this approach has not been successful, I am providing details of the second one.

2. I have followed the instructions given at https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.html#TcpDissectPdus and added some extra code I think necessary, based on implementations I have seen of other dissectors.

   Please note that I think line
   

   ftpdatafragmented_handle = create_dissector_handle(dissect_ftpdatafragmented, proto_ftpdatafragmented);

   should go at the end of

   void proto_reg_handoff_ftp(void);

   However for some reason such function is not being called. Therefore I have moved the
   ftpdatafragmented_handle to

   dissect_ftpdata(tvbuff_t tvb, packet_info pinfo, proto_tree *tree).

   Please find the relevant code at pastebin.com/wHR2Q1LY. I have upload the whole mofidied FTP dissector code at pastebin.com/jxLUxewm.

Also note that I haven't dealt with conversation and transaction data yet. I will deal with that as soon as I fix packet reassemble.

What am I doing wrong with packet disassemble? Could somebody please help me?

Thank you in advance for your time.

Hi,

Honestly I do not understand what you are trying to achieve here.
I would assume that ftp data is a stream and not a PDU, so I do not know what you expect to reassemble. There is no length field at the beginning of the message allowing you to use tcp_dissect_pdus(). You cannot use either the pinfo method as you do not know when your stream will end. tvb_reported_length(tvb) just gives you the length of the current chunk, not the length of the "object".

As reordering is already handled by the TCP dissector (assuming that you activate the 'Do not call subdissectors for error packets' option), you might simply accumulate the bytes received in the dissector.
Each FTP-Data object is a specific conversation, so for the boundaries between "objects" you could retrieve the current conversation thanks to find_conversation() function and compare the current frame number with the last for this conversation (PINFO_FD_NUM(pinfo) == conv->last_frame). It should not be done on the first pass though (PINFO_FD_VISITED(pinfo) == 1) otherwise conv->last_frame would not be properly initialized.

Then you will have to do the tapping only at the right time to ensure that you do not accumulate data when selecting randomly a packet in the list :) I did not think about this but packet-tftp.c might be a partial source of inspiration (even if the protocol is completely different).

Good luck,
Pascal.