Wireshark mailing list archives
calculating PDU size of TCP message
From: "John Dill" <John.Dill () greenfieldeng com>
Date: Mon, 21 Jul 2014 16:46:04 -0400
I have a TCP message (that I reverse engineered) that contains blocks of the following type: ------------- | Data Type | 4 bytes ------------- | Payload Len | 4 bytes ------------- | Checksum | 4 bytes ------------- | Data | = Payload Len ------------- (repeats) Since I did not know about the underlying structure, I used tcp_dissect_pdus with a TCP header length of 12 bytes to be able to read a single block. tcp_dissect_pdus(tvb, pinfo, tree, desegment_tcp_messages, TCP_PAYLOAD_HDR_LENGTH, get_tcp_pdu_len, dissect_tcp_pdu); I have discovered that in general, this application layer message can have multiple blocks, and I have something that looks like the following: Frame Ethernet II Internet Protocol Version 4 Transmission Control Protocol Application Protocol Application Protocol Application Protocol ... It's ok, but ideally, I would like to place all of these blocks into a single root layer like the following: Frame Ethernet II Internet Protocol Version 4 Transmission Control Protocol Application Protocol Block 1 Block 2 Block ... Block N It does not appear that I can use the normal PDU dissection to arrange that because I do not have an overall message size in a fixed header, I have to read each block individually and sum the payload lengths. From the README.developer guide, it looks like I need to do something like in section 2.7.2, but I'm having a hard time adapting its example to my scenario. Can someone point me to a dissector that already implements something similar to what I need, or give a simple loop on how to get the dissector to do what I want? Thanks, John Dill
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- calculating PDU size of TCP message John Dill (Jul 21)
- Re: calculating PDU size of TCP message Guy Harris (Jul 21)
- <Possible follow-ups>
- Re: calculating PDU size of TCP message John Dill (Jul 22)