Re: calculating PDU size of TCP message

["John Dill" <John.Dill () greenfieldeng com>]

> Message: 3
> Date: Mon, 21 Jul 2014 13:52:40 -0700
> From: Guy Harris <guy () alum mit edu>
> To: Developer support list for Wireshark <wireshark-dev () wireshark org>
> Subject: Re: [Wireshark-dev] calculating PDU size of TCP message
> Message-ID: <937C9F55-5330-4553-85A3-51543AEEDBD1 () alum mit edu>
> Content-Type: text/plain; charset=iso-8859-1
>
>
> On Jul 21, 2014, at 1:46 PM, "John Dill" <John.Dill () greenfieldeng com> wrote:
>
> > I have a TCP message (that I reverse engineered) that contains blocks of the following type:
> >
> >  -------------
> > |  Data Type  | 4 bytes
> >  -------------
> > | Payload Len | 4 bytes
> >  -------------
> > |  Checksum   | 4 bytes
> >  -------------
> > |    Data     | = Payload Len
> >  -------------
> >    (repeats)
> >
> > Since I did not know about the underlying structure, I used tcp_dissect_pdus
> > with a TCP header length of 12 bytes to be able to read a single block.
> >
> > tcp_dissect_pdus(tvb, pinfo, tree, desegment_tcp_messages,
> >                  TCP_PAYLOAD_HDR_LENGTH,
> >                  get_tcp_pdu_len,
> >                  dissect_tcp_pdu);
> >
> > I have discovered that in general, this application layer message can have
> > multiple blocks
>
> What do you mean by "this application layer message"?

I use "application layer" in reference to the OSI model as a protocol that
sits on top of a transport protocol layer.  An "application layer message"
refers to a PDU that was desegmented from one or more TCP packets.  Maybe
PDU is the term I should use here.

> If a "block" is
>
> -------------
> |  Data Type  | 4 bytes
> -------------
> | Payload Len | 4 bytes
> -------------
> |  Checksum   | 4 bytes
> -------------
> |    Data     | = Payload Len
> -------------

That is correct.  Each of these "blocks" could probably be referred to
as a PDU as well.

> then presumably there's some *other* header that indicates which blocks
> are part of a given application layer message, or a convention that an
> application layer message consists of a sequence of blocks all of the
> same data type (so that a change in the data type is an indication that
> one application layer message ended and another began), or something
> such as that.

Unfortunately, there is no other header that identifies which blocks
are part of a given application layer message.  It is just a sequence
of blocks.  There are "control" messages sent from the client to the
server, and "data" messages, both periodic and on-demand, from the
server to the client and vice versa.  Here are the scenarios that I
see in the data.

1.  A single TCP packet payload contains 1 block (for "control" messages
or medium to smaller "data" messages).

2.  Multiple TCP packets are desegmented to contain 1 block (for large
"data" messages, up to a few KB).

3.  A single TCP packet payload contains 2 or more blocks (for multiple
"control" messages and smaller "data" messages).

> Without knowing that, it will be impossible to do
>
> Frame
> Ethernet II
> Internet Protocol Version 4
> Transmission Control Protocol
> Application Protocol
>  Block 1
>  Block 2
>  Block ...
>  Block N
>
> because Wireshark won't be able to determine where one application layer
> message begins and another ends.

I see.  I originally thought I had a mistake in the dissector since it's
the first time I've encountered multiple PDUs in a single TCP packet.  I
had expected them to all be in the same "Application Protocol" since that
is what I've always seen before.  Now it's clear what is going on.

Thanks again,
John Dill

<<winmail.dat>>

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe