Wireshark mailing list archives
Re: TCP dissect issue when app-level message spans multiple TCP packets
From: Graham Bloice <graham.bloice () trihedral com>
Date: Thu, 05 May 2011 16:12:24 +0100
On 05/05/2011 16:00, Chris Maynard wrote:
Fernandez, Rafael <Rafael.Fernandez@...> writes:I am writing a dissector plugin and I am using tcp_dissect_pdus in order toreassemble packets. However, Iam experiencing issues when there are multiple application layer messages inone packet and the last oneis not complete. Specifically, I have 5 messages in one TCP packet. There are5 calls to the get_pdu_lenfunction and four calls to the dissect_pdu function. Since there is not enoughdata in the currenttvbuff_t, tcp_dissect_pdus returns. When dissect_message is called again, thebeginning of themessage is lost. When get_pdu_len gets called again it reads a garbage size. Per https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.html,I thought thattcp_dissect_pdus is supposed to handle this. I can't find example code in anydissector in/epan/dissectors/* that handles this unlike I am. Am I missing something? This is part of my code: void dissect_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { if(pinfo->tcp_tree != NULL) { tcp_dissect_pdus(tvb, pinfo, tree, TRUE, MESSAGE_HEADER_SIZE, get_message_tcpmessage_len,dissect_message_tcpmessage);} else { // For UDP just print the data for now. call_dissector(data_handle, tvb, pinfo, tree); } } guint get_message_tcpmessage_len(packet_info *pinfo, tvbuff_t *tvb, int offset) { if(tvb_length_remaining(tvb, offset) <= 8) return 0; gint32 size = tvb_get_letohl(tvb, offset)+MESSAGE_HEADER_SIZE; gint32 type = tvb_get_letohl(tvb, offset+4); printf("Len: %u type %d\n", size, type); if(strcmp(typeAsString(type), "Unknown") == 0) { return tvb_length_remaining(tvb, offset); } return size; }I don't think your get_message_tcpmessage_len() function is coded correctly. It looks like you're trying to do some heuristics in there when all you really should be doing is returning the length of your PDU. In your case, it looks like the length field is the 1st 4-bytes of the header, so I think you should probably just be doing something like this: if(pinfo->tcp_tree != NULL) { tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 4, get_message_tcpmessage_len, dissect_message_tcpmessage); } (NOTE: Here, you could use MESSAGE_HEADER_SIZE instead of 4, but you really only need the 1st 4 bytes to determine the length of the entire PDU.) guint get_message_tcpmessage_len(packet_info *pinfo, tvbuff_t *tvb, int offset) { return tvb_get_letohl(tvb, offset) + MESSAGE_HEADER_SIZE; }
The get_message_tcpmessage_len function should also check that there are enough bytes in the passed in tvb to call tvb_get_letohl(), as the OP's code did. -- Regards, Graham Bloice
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- TCP dissect issue when app-level message spans multiple TCP packets Fernandez, Rafael (May 04)
- Re: [Wireshark-dev] TCP dissect issue when app-level message spans multiple TCP packets Chris Maynard (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Graham Bloice (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Chris Maynard (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Graham Bloice (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Graham Bloice (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Fernandez, Rafael (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Chris Maynard (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Fernandez, Rafael (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Chris Maynard (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Fernandez, Rafael (May 05)
- Re: [Wireshark-dev] TCP dissect issue when app-level message spans multiple TCP packets Chris Maynard (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Guy Harris (May 05)
- Re: [Wireshark-dev] TCP dissect issue when app-level message spans multiple TCP packets John Sullivan (May 05)
- Re: [Wireshark-dev] TCP dissect issue when app-level message spans multiple TCP packets Chris Maynard (May 05)