Re: Packet reassemble - FTP-DATA Dissector - FTP - Export Object

[Pascal Quantin <pascal.quantin () gmail com>]

2015-01-16 16:07 GMT+01:00 leonardocito () libero it <leonardocito () libero it>:

> I already posted this question to Ask.Wireshark.org; as I have a very
> tight schedule and realise the mailing list is more appropriate, I am
> posting it here as well. Please advice me if I need to remove the other
> post.
>
>
> I am implementing object export for the FTP protocol ( File-> Export
> Object -> FTP...).
>
> I have got to the point of getting the list of files in the
> ExportObjectDialog window. However in such window I get an entry for each
> TCP packet used for the trasmission of each FTP packet. If save each entry
> and then join the resulting files in the correct order I get the file I am
> sopposed to. So I am on the right track but am not doing ftp packet
> reassembly correctly.
>
> I have tried two approaches:
>
>    1.
>
>    The one explainded in section 2.7.2 of README.dissector. You can find
>    the code at pastebin.com/nkxDUhkv. In order to make reading easier, I
>    have added left several blank lines before and after the reassemble
>    section. I am preatty sure this is the way to go, if this is the case you
>    can skip to the end of the question. However since this approach has not
>    been successful, I am providing details of the second one.
>    2.
>
>    I have followed the instructions given at
>    https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.html#TcpDissectPdus
>    and added some extra code I think necessary, based on implementations I
>    have seen of other dissectors.
>
>    Please note that I think line
>
>    ftpdatafragmented_handle =
>    create_dissector_handle(dissect_ftpdatafragmented, proto_ftpdatafragmented);
>
>    should go at the end of
>
>    void proto_reg_handoff_ftp(void);
>
>    However for some reason such function is not being called. Therefore I
>    have moved the
>    ftpdatafragmented_handle to
>
>    dissect_ftpdata(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree).
>
>    Please find the relevant code at pastebin.com/wHR2Q1LY. I have upload
>    the whole mofidied FTP dissector code at pastebin.com/jxLUxewm.
>
> Also note that I haven't dealt with conversation and transaction data yet.
> I will deal with that as soon as I fix packet reassemble.
>
> What am I doing wrong with packet disassemble? Could somebody please help
> me?
>
> Thank you in advance for your time.
Hi,

Honestly I do not understand what you are trying to achieve here.
I would assume that ftp data is a stream and not a PDU, so I do not know
what you expect to reassemble. There is no length field at the beginning of
the message allowing you to use tcp_dissect_pdus(). You cannot use either
the pinfo method as you do not know when your stream will end.
tvb_reported_length(tvb) just gives you the length of the current chunk,
not the length of the "object".
As reordering is already handled by the TCP dissector (assuming that you
activate the 'Do not call subdissectors for error packets' option), you
might simply accumulate the bytes received in the dissector.
Each FTP-Data object is a specific conversation, so for the boundaries
between "objects" you could retrieve the current conversation thanks to
find_conversation() function and compare the current frame number with the
last for this conversation (PINFO_FD_NUM(pinfo) == conv->last_frame). It
should not be done on the first pass though (PINFO_FD_VISITED(pinfo) == 1)
otherwise conv->last_frame would not be properly initialized.
Then you will have to do the tapping only at the right time to ensure that
you do not accumulate data when selecting randomly a packet in the list :)
I did not think about this but packet-tftp.c might be a partial source of
inspiration (even if the protocol is completely different).

Good luck,
Pascal.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe