Reassembly of split fragments

[Lars Poeschel <poeschel () lemonage de>]

Hello wireshark devs,

I am currently struggling with reassembly of fragments of the mux27010
protocol.
There is a dissector for the mux27010 protocol in wireshark
(packet-mux27010.c) but it does not work with fragments. The mux27010
works on top of a serial line (uart) so there is no ethernet, no IP, no
TCP involved so far. I capture the serial line traffic in pcap format,
but it has no understanding of the mux27010 protocol, so there can be
any possible combination of mux PDU and pcap capture unit in there,
namely one pcap capture unit can be:
* the beginning of a PDU
* the middle of a PDU
* the end of a PDU
* a complete PDU
* two or even more PDUs
* the end of a PDU and the beginning of the next PDU
* the end of a PDU and a complete next PDU

I now had journey into that dissector and implementing reassembly of
all of these cases. I am struggling with the latter two cases.
In short to reassemble the fragments to a whole PDU I do:

fh = fragment_add_check(&msg_reassembly_table, tvb, offset, pinfo, id, NULL, frag_offset, frag_length, more_data);
my_new_tvb = process_reassembled_data(tvb, offset, pinfo, "Reassembled Message", fh, &msg_frag_items, NULL, 
mux27010_tree);

I set the more_data flag depending on if I detected that a PDU is
finished or not. This then gives me a whole PDU in my_new_tvb that I can
throw at the remaining dissection process that happily does it's stuff.

So, ok at this point in the latter two cases I now have a completely reassembled
PDU and some data left (for the next PDU). What should I do now with
this untouched data ? Remember, I can not use the desegment_offset /
desegment_len mechanism of packet_info, since I am not above of the tcp
dissector.
When I detect this case in the dissector I currently do this:

tvb = tvb_new_subset_remaining(tvb, split_offset);

This gives me a new tvb and I start the whole dissection process (in a
loop) again with a new subtree item:

mux27010_tree = proto_item_add_subtree(ti, ett_mux27010);

The code works. But the wireshark gui does not like what I did.

The last fragment does not show the reassembled packet, but instead the
start of the next reassemble. I see that
pinfo->num == fd_head->reassembled_in
does match only for the new reassembly, not the old (previous)
reassembly. So the gui shows the fragment as belonging to the new
reassembly, but not the old one.

How can I do this right ? Does anyone see, what I am doing wrong ?

Thanks in advance,
Lars
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe