Wireshark mailing list archives
Re: Wireshark dissector development - Reassembly tcp frames
From: Peter Wu <peter () lekensteyn nl>
Date: Wed, 05 Nov 2014 16:05:32 +0100
On Tuesday 04 November 2014 11:48:03 Guillaume Ribière wrote:
I read the readme.dissector and try using two methods: First method: tcp_dissect_pdus(tvb, pinfo, tree, dns_desegment, 2, get_dns_pdu_len, dissect_dns_tcp_pdu, data); return tvb_captured_length(tvb);
You would use this when your protocol has a well-defined packet message format where the length of a packet can be determined from the beginning of a message. Example: SSL has a record length notion. IIRC this will call dns_desegment multiple times if a packet contains multiple PDUs ("messages").
Second method : guint offset = 0; while(offset < tvb_reported_length(tvb)) { gint available = tvb_reported_length_remaining(tvb, offset); gint len = tvb_strnlen(tvb, offset, available); if( -1 == len ) { /* we ran out of data: ask for more */ pinfo->desegment_offset = offset; pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; return (offset + available); }
[..]
offset += (guint)len; } /* if we get here, then the end of the tvb coincided with the end of a string. Happy days. */ return tvb_captured_length(tvb);
This can be used if you do not know the length of the data onbeforehand. In the above example, the a C string is NUL-terminated and you cannot know the full length until you have read everything.
But impossible to reassemble the message, I do not understand why ... can you help me please? I hope you understand my problem ...: /
What issue are you encountering? Be very careful not to return 0 from a dissector as it means "I do not know this data, pass it to a different dissector". If you set desegment_len to a fixed positive value other than DESEGMENT_ONE_MORE_SEGMENT, then you won't be able to change the segment length later. -- Kind regards, Peter https://lekensteyn.nl ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Wireshark dissector development - Reassembly tcp frames Guillaume Ribière (Nov 04)
- Re: Wireshark dissector development - Reassembly tcp frames Peter Wu (Nov 05)