Reassembling fragmented messages

[Francesco Jacomel <francesco.jacomel () gmail com>]

Hi,

I've just subscribe to this list to find some successful experience on
reassembling packets.
I'm trying to use the developers guide to help me on doing it, but I had no
success until this moment.
I'm creating a new dissector and for simple messages it works fine, but
nothing works neither when adding fragments in a hash table nor when
reassembling the packets.
Let me show the incoming packets, at first, to make the problem more clear.

In the .log file -also created by myself-, I have the following:

The packet with the total size to be reassembled is this one

*18:25:13.257*
*000000 00 0C 00 05 AA FF 00 00 8F                      .........*

Where *00 0C 00 05 *means:
*01 - TX*
*0C - My protocol*
*00 05 - 2 bytes length*
*
*
And *A0 12 00 00 8F** *means:
*AA - Command class*
*FF - Instruction*
*00 - Don't care*
*00 - Don't care*
*>> 8F - The TOTAL length of the bytes to be received by the ME. <<*
 *
*
And as the answer from SIM card, I have the following:

*18:25:13.264*
*000000 01 0C 00 72 FF D0 81 8C 81 03 01 25 00 82 02 81 ................*
*000010 82 85 0C 53 65 72 76 69 09 6F 73 20 54 49 4D 8F ................*
*000020 0D 02 4D 65 75 20 4D 65 6E 75 20 54 49 4D 8F 05 ................*
*000030 03 53 6F 6E 73 8F 07 04 43 61 6E 61 69 73 8F 0E ................*
*000040 05 43 68 61 74 20 64 6F 20 62 6C 61 68 21 8F 08 ................*
*000050 06 44 65 73 61 66 69 6F 8F 0A 07 41 67 65 6E 64 ................*
*000060 61 20 4C 44 8F 0B 08 54 49 4D 20 41 67 65 6E 64 ................*
*000070 61 8F 0C 09 54 49                               ......*


Where *01 0C 00 72 FF *means:
*01 - RX*
*0C - ISO7816-3 protocol*
*00 72 - 2 bytes length*
*FF - The instruction received for this answer being sent.*
The *FF* is the received instruction value  and the following bytes -from
D0 to 49 - are part of HALF of full message.

The second and last part of the message is the following:

*18:25:13.265*
*000000 01 0C 00 20 4D 20 54 6F 72 70 65 64 6F 8F 0A 0B ................*
*000010 54 49 4D 20 43 6F 66 72 65 8F 07 0C 45 2D 6D 61 ................*
*000020 69 6C 9F FF                                     ....*


Where the first 4 bytes are the same header as the former* but now *there
is no identification with any instruction received, since the only TX came
in the first message, so we have:
TX -------------->
    <-------------- RX(PART 1)
    <-------------- RX(PART 2)

Ok, so I need to sum part 1 (from 6th byte -'D0'- to the last byte -'49' )
with the part 2 (from 5th byte -'4D'-  to the last -'6C'-)
Now, the code:

save_fragmented = pinfo->fragmented;
pinfo->fragmented = TRUE;

nRXCounter = pinfo->fd->num;
frag_msg   = fragment_add_seq_check (tvb, 1, pinfo,

 nRXCounter,               // guint32 ID for fragments belonging together -
Is the same for the two parts of the message.

 iso7816_fragment_table,   // list of message fragments

 iso7816_reassembled_table,// list of reassembled messages

 nFrameCounter++,            // guint32 fragment sequence number - static
variable starting at 0 value, working fine.

 tvb_reported_length(tvb), // guint32 fragment length

 !bGetNextRXFragment);      // More fragments? */

bGetNextRXFragment = TRUE;
nLastRXLength = nLastRXLength-(len-3);
pinfo->fragmented = save_fragmented;


In the first RX received, it will add the tvb in the hash table, but in the
second, due to the bGetNextRXFragment = TRUE; it will call the *
fragment_add_seq_check* with the last parameter being *FALSE, *what I
understand is that I need to change it to FALSE when I know that there is
no more fragments, right??

There is any other parameter to pass/set in this function to signalize that
there are no more fragments and the message can be reassembled?

I tried to change everything, use another functions, but it doesn't work and
* **frag_msg* is NEVER a valid value, on the Wireshark I see only it adding
fragments forever.
To check the answer for that, i have:

if (frag_msg) /* Reassembled */{
  col_append_str(pinfo->cinfo, COL_INFO,"REASSEMBLED");
  nFrameCounter = 0;
}
else /* Not last packet of reassembled Message */{
 col_append_fstr(pinfo->cinfo, COL_INFO,"(Message fragment # %u)",
nFrameCounter++);
}
if(new_tvb){
   col_append_fstr(pinfo->cinfo, COL_INFO,"new_tvb OK");
}
else{
   col_append_fstr(pinfo->cinfo, COL_INFO,"* new_tvb NULL");
}


And what I see in the Wireshark is :
8 18:25:13.264000 MyProtocol Equipment PROT 118 (Message fragment # 0)*
new_tvb NULL
9 18:25:13.265000 MyProtocol Equipment PROT 36 (Message fragment # 1)*
new_tvb NULL

Does anyone know how can I check if I'm doing everything needed to
reassemble the fragments with no problems? I'm doing something wrong but I
could not find what.

Thanks in advance for you all.

-- 

Francesco Jacomel.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe