Wireshark mailing list archives

calculating PDU size of TCP message


From: "John Dill" <John.Dill () greenfieldeng com>
Date: Mon, 21 Jul 2014 16:46:04 -0400


I have a TCP message (that I reverse engineered) that contains blocks of the following type:

 -------------
|  Data Type  | 4 bytes
 -------------
| Payload Len | 4 bytes
 -------------
|  Checksum   | 4 bytes
 -------------
|    Data     | = Payload Len
 -------------
   (repeats)

Since I did not know about the underlying structure, I used tcp_dissect_pdus with a TCP header length of 12 bytes to be 
able to read a single block.

tcp_dissect_pdus(tvb, pinfo, tree, desegment_tcp_messages,
                 TCP_PAYLOAD_HDR_LENGTH,
                 get_tcp_pdu_len,
                 dissect_tcp_pdu);

I have discovered that in general, this application layer message can have multiple blocks, and I have something that 
looks like the following:

Frame
Ethernet II
Internet Protocol Version 4
Transmission Control Protocol
Application Protocol
Application Protocol
Application Protocol
...

It's ok, but ideally, I would like to place all of these blocks into a single root layer like the following:

Frame
Ethernet II
Internet Protocol Version 4
Transmission Control Protocol
Application Protocol
  Block 1
  Block 2
  Block ...
  Block N

It does not appear that I can use the normal PDU dissection to arrange that because I do not have an overall message 
size in a fixed header, I have to read each block individually and sum the payload lengths.  From the README.developer 
guide, it looks like I need to do something like in section 2.7.2, but I'm having a hard time adapting its example to 
my scenario.

Can someone point me to a dissector that already implements something similar to what I need, or give a simple loop on 
how to get the dissector to do what I want?

Thanks,
John Dill
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread: