Wireshark mailing list archives
Re: TCP dissect issue when app-level message spans multiple TCP packets
From: "Fernandez, Rafael" <Rafael.Fernandez () citadelgroup com>
Date: Thu, 5 May 2011 10:59:35 -0500
All, I used to have a very simple get_message_tcpmessage_len. But most of the TCP packets would then say [TCP segment of a reassembled PDU]. I eliminated everything again. This is my current get_message_tcpmessage_len: guint get_message_tcpmessage_len(packet_info *pinfo, tvbuff_t *tvb, int offset) { guint remaining = tvb_length_remaining(tvb, offset); guint last_size = tvb_get_letohl(tvb, offset)+MESSAGE_HEADER_SIZE; if(last_size > remaining) { printf("not enough data: %d remaining: %d\n", last_size, remaining); } return last_size; } I get the following output in consecutive packets from host A to host B: not enough data: 322 remaining: 144 not enough data: 445080968 remaining: 1448 There are no 445080968 byte messages being sent, ever. It is that the dissector called by tcp_dissect_pdus gets a partial message. Clearly, it is not buffering the packets correctly. I *could* hack it together but I thought this is part of what tcp_dissect_pdus was supposed to do. BTW - I am using and compiling against 1.4.6. Thank you for your responses, Rafael -----Original Message----- From: wireshark-dev-bounces () wireshark org [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Chris Maynard Sent: Thursday, May 05, 2011 10:00 AM To: wireshark-dev () wireshark org Subject: Re: [Wireshark-dev] TCP dissect issue when app-level message spans multiple TCP packets Fernandez, Rafael <Rafael.Fernandez@...> writes:
I am writing a dissector plugin and I am using tcp_dissect_pdus in order to
reassemble packets. However, I
am experiencing issues when there are multiple application layer messages in
one packet and the last one
is not complete. Specifically, I have 5 messages in one TCP packet. There are
5 calls to the get_pdu_len
function and four calls to the dissect_pdu function. Since there is not enough
data in the current
tvbuff_t, tcp_dissect_pdus returns. When dissect_message is called again, the
beginning of the
message is lost. When get_pdu_len gets called again it reads a garbage size. Per https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.html,
I thought that
tcp_dissect_pdus is supposed to handle this. I can't find example code in any
dissector in
/epan/dissectors/* that handles this unlike I am. Am I missing something? This is part of my code: void dissect_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { if(pinfo->tcp_tree != NULL) { tcp_dissect_pdus(tvb, pinfo, tree, TRUE, MESSAGE_HEADER_SIZE, get_message_tcpmessage_len,
dissect_message_tcpmessage);
} else { // For UDP just print the data for now. call_dissector(data_handle, tvb, pinfo, tree); } } guint get_message_tcpmessage_len(packet_info *pinfo, tvbuff_t *tvb, int offset) { if(tvb_length_remaining(tvb, offset) <= 8) return 0; gint32 size = tvb_get_letohl(tvb, offset)+MESSAGE_HEADER_SIZE; gint32 type = tvb_get_letohl(tvb, offset+4); printf("Len: %u type %d\n", size, type); if(strcmp(typeAsString(type), "Unknown") == 0) { return tvb_length_remaining(tvb, offset); } return size; }
I don't think your get_message_tcpmessage_len() function is coded correctly. It looks like you're trying to do some heuristics in there when all you really should be doing is returning the length of your PDU. In your case, it looks like the length field is the 1st 4-bytes of the header, so I think you should probably just be doing something like this: if(pinfo->tcp_tree != NULL) { tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 4, get_message_tcpmessage_len, dissect_message_tcpmessage); } (NOTE: Here, you could use MESSAGE_HEADER_SIZE instead of 4, but you really only need the 1st 4 bytes to determine the length of the entire PDU.) guint get_message_tcpmessage_len(packet_info *pinfo, tvbuff_t *tvb, int offset) { return tvb_get_letohl(tvb, offset) + MESSAGE_HEADER_SIZE; } ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe CONFIDENTIALITY AND SECURITY NOTICE The contents of this message and any attachments may be confidential and proprietary and also may be covered by the Electronic Communications Privacy Act. This message is not intended to be used by, and should not be relied upon in any way, by any third party. If you are not an intended recipient, please inform the sender of the transmission error and delete this message immediately without reading, disseminating, distributing or copying the contents. Citadel makes no assurances that this e-mail and any attachments are free of viruses and other harmful code. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- TCP dissect issue when app-level message spans multiple TCP packets Fernandez, Rafael (May 04)
- Re: [Wireshark-dev] TCP dissect issue when app-level message spans multiple TCP packets Chris Maynard (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Graham Bloice (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Chris Maynard (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Graham Bloice (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Graham Bloice (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Fernandez, Rafael (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Chris Maynard (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Fernandez, Rafael (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Chris Maynard (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Fernandez, Rafael (May 05)
- Re: [Wireshark-dev] TCP dissect issue when app-level message spans multiple TCP packets Chris Maynard (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Guy Harris (May 05)
- Re: [Wireshark-dev] TCP dissect issue when app-level message spans multiple TCP packets John Sullivan (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Guy Harris (May 05)
- Re: [Wireshark-dev] TCP dissect issue when app-level message spans multiple TCP packets Chris Maynard (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Guy Harris (May 05)
- Re: TCP dissect issue when app-level message spans multiple TCP packets Fernandez, Rafael (May 05)