Wireshark mailing list archives
Re: dissecting TCP packets with multiple PDUs
From: Jeff Morriss <jeff.morriss.ws () gmail com>
Date: Thu, 11 Aug 2016 11:14:21 -0400
On Fri, Aug 5, 2016 at 1:39 PM, John Dill <John.Dill () greenfieldeng com> wrote:
One problem I have is that I'm creating multiple subtrees for a protocol when two PDUs are found in the same frame. What's the best way to avoid this? \code gint dissect_mk32_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) { proto_tree *mk32_tree = NULL; proto_item *ti; /* ti := tree item */ gint offset = 0; /* * This is a high level dissector targeting a re-assembled TCP * packet containing MK32 messages. The main responsibilities * of the dissector is to control the meta data displayed in the * "Packet List" pane, and to display the packet contents in the * "Packet Details" pane. Typically, the dissection details of * higher level protocol messages (MK32) and their contents are * handled in message specific sub-dissectors. */ /* Change the Protocol column to MK32 in addition to TCP. */ col_set_str(pinfo->cinfo, COL_PROTOCOL, "TCP/MK32"); /* Change the Info column to indicate what? */ /* Process the remaining data only if actively viewed in the "Packet Details" pane (when 'tree != NULL'). */ if (tree) { ti = proto_tree_add_item(tree, proto_mk32, tvb, offset, -1, ENC_BIG_ENDIAN); mk32_tree = proto_item_add_subtree(ti, ett_mk32); mk32_dissect_messages(tvb, pinfo, offset, mk32_tree); } return tvb_length(tvb); } \endcode If the frame has multiple PDUs, I create multiple mk32_tree subtrees instead of just one. Is there any recommended heuristic or method I should use to determine whether my PDU is in the same frame as another so that I don't make duplicate protocol subtrees, e.g. "if (tree && <current_frame_has_not_already_processed_another_PDU_already>)" I thought about static variables, or maybe using the 'data' member. Any suggestions?
I'd suggest not doing anything. If there are multiple PDUs in the frame then most dissectors will (and arguably should) show you multiple protocol subtrees. This helps make it obvious to the user that they've got 2 PDUs in that frame...
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- dissecting TCP packets with multiple PDUs John Dill (Aug 05)
- Re: dissecting TCP packets with multiple PDUs Graham Bloice (Aug 05)
- Re: dissecting TCP packets with multiple PDUs Michael Mann (Aug 05)
- <Possible follow-ups>
- Re: dissecting TCP packets with multiple PDUs John Dill (Aug 05)
- Re: dissecting TCP packets with multiple PDUs Jeff Morriss (Aug 11)
- Re: dissecting TCP packets with multiple PDUs Graham Bloice (Aug 05)