Re: Help with desegmentation issue

["Maynard, Chris" <Christopher.Maynard () GTECH COM>]

As you've discovered, the TCP dissector won't attempt to reassemble
packets if the TCP checksum is invalid.  In the short-term, you may
choose to disable TCP checksum validation to try to work around this.

 

Edit -> Preferences -> Protocols -> TCP -> Deselect "Validate the TCP
checksum if possible"

 

In the long-term, maybe a change to the TCP dissector could be made to
attempt reassembly even if the TCP checksum is bad, possibly through a
new TCP preference allowing this?  I'm not sure how well that would work
though, so I leave it as a question/topic of discussion for the TCP
dissector author(s) and core developers.

 

- Chris

 

 

From: wireshark-dev-bounces () wireshark org
[mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Jarolin,
Robert
Sent: Wednesday, December 16, 2009 8:24 AM
To: wireshark-dev () wireshark org
Subject: Re: [Wireshark-dev] Help with desegmentation issue

 

I discovered what the problem was with the dissection. 
It turns out that "tcp_dissect_pdus" does not work properly if the
packet(s) have "TCP CHECKSUM INCORRECT" 

I took the data (4 packets) that had the data segmented and rebuilt the
packet header data including the TCP header using text2pcap.

When I tried to dissect these packets (that now had proper TCP
checksums), my dissector correctly desegmented the data. 
I then edited the packets to just change the TCP checksum and tried
again.  The packets can no longer be desegmented. 

Any ideas what to do about this issue? 

Thanks. 

See my original message below: 

vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv

 

I have a dissector that uses tcp_dissect_pdus that does not seem to be
doing the job.  Please help. 
I have a dump that contains 4 TCP packets that are all related to the
same message (a total of 4428 bytes). 
The first 3 packets are a length of 1460 bytes and the last 48 bytes =>
1460 * 3 + 48 = 4428 
When dissection takes place, the desegmentation does not seem to
properly occur. 

Under the TCP portion of the dissection it properly says: 
  [PDU Size: 4428] 
But the data available for dissection is only the size of the first
packet (1460) 

What I am doing wrong?  Thanks for any help. 

Below are excerpts from my dissector: 

#define FRAME_HEADER_LEN 4 

static void 
dissect_myproto_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree
*tree) 
{ 
  /* Check that there's enough data */ 
  total_len = tvb_length(tvb); 
  printf("Total_len = %u\n", total_len);  // THIS prints 1460 
. 
// Dissect my data 
. 
} 

static guint 
get_myproto_message_len(packet_info *pinfo, tvbuff_t *tvb, int offset) 
{ 
  guint length = 0; 

  // myproto message (length is 2 bytes starting at offset 0 * 4) 
  length = (guint) ( tvb_get_ntohs( tvb, offset ) * 4 ); // Get the
length 

  printf("TOTAL of mesage = %u\n", length);  // This prints 4428 
  return length; 
} 

 

/* Code to actually dissect the packets */ 
static void 
dissect_myproto(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) 
{ 
  tcp_dissect_pdus(tvb, pinfo, tree, TRUE, FRAME_HEADER_LEN, 
      get_myproto_message_len, dissect_myproto_message); 
} 


Confidentiality Notice: This e-mail (including any attachments) is
intended only for the recipients named above. It may contain
confidential or privileged information and should not be read, copied or
otherwise used by any other person. If you are not a named recipient,
please notify the sender of that fact and delete the e-mail from your
system. 

CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe