[Wireshark-dev] Capture TCP reassembled protocol

2012-02-29 Thread fab12 
Hello

Is it correct to assume that if my dissector use the tcp_dissect_pdus to
reassemble my protocol, I have to start the capture before the TCP
connection is established?

I'm thinking that if I start the capture after the TCP reassembly module
will call my getlength function with the first TCP segment it receives
for my connection which my not correspond with an actual beginning of one
of the protocol message (or maybe for that reason it will never call the
getlength function).

But I never noticed this problem before so I guess I'm missing something...

Best regards
Fabien

___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] TCP reassembling

2011-12-09 Thread fab12 
Hi

I tried this

static guint get_foo_message_len(packet_info *pinfo, tvbuff_t *tvb, int
offset)
{
guint length;

length = tvb_get_letohl(tvb,offset+MPI_LENGTH_INDEX) + MPI_HEADER_SIZE;

return length ;
}

But I get exactly the same result.
The length returned is the same as before and seems correct to me...

Thx
Fabien


 Hi fab12,

 On Fri, Dec 09, 2011 at 08:25:12AM +0100, fa...@freesurf.fr wrote:
 Hello,

 I am having problem using the tcp_dissect_pdus and hope someone can help
 me here.

 The documentation seems pretty clear to me and I think I am doing what I
 am suppose to do:

  tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 20,
 get_foo_message_len, dissect_foo_packet);


 static guint get_foo_message_len(packet_info *pinfo, tvbuff_t *tvb, int
 offset)
 {
  guint length;
  unsigned char lengthBytes[4];

  tvb_memcpy(tvb, lengthBytes, offset+MPI_LENGTH_INDEX,
 MPI_LENGTH_SIZE/8);
  length = lengthBytes[0] + (lengthBytes[1]8) + (lengthBytes[2]16) +
 (lengthBytes[3]24) + MPI_HEADER_SIZE;

 return length;
 }

 Try to use tvb_get_ntohl or tvb_get_htonl. AFAIA you wanna read some kind
 of
 integer from raw data, am I right ?

 Unfortunaty when I open a capture file it is not working properly.
 When I attach to wireshark with a debugger I can see that the behavior
 is
 not the one I expect:

 1. The debugger stop to a first frame which contains the beginning of a
 large message.
 I can see that my get_foo_message_len is called and returns the length
 of
 the complete message.
 2. Then wireshark the process the next frame which contains the
 remaining
 of the message. I can see it calls get_foo_message_len. Is this normal?
 I don't think so and if it is what am I suppose to do since I can't
 retrieve the size of the message the second time.

 Best regards,
 Fabien

 PS: Sorry if this is a duplicate. I tried to send the question already
 yesterday but I can't see it in my outbox so I guess I misclicked...


 ___
 Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
 Archives:http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
  mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

 --
 Best regards,
 Andriy
 0xBDDBDAE3
 ___
 Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
 Archives:http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
  mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe


___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] TCP reassembling

2011-12-09 Thread fab12 
I eventually figured it out.

I was calling the tcp_dissect_pdus like this

if (tree) /* we are being asked for details */
{
tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 20,
 get_foo_message_len, dissect_foo_message);
}

When I remove the if tree it is working. So I moved the if tree test to
the dissect_foo_message.

Br
Fabien


 Hi

 I tried this

 static guint get_foo_message_len(packet_info *pinfo, tvbuff_t *tvb, int
 offset)
 {
   guint length;

   length = tvb_get_letohl(tvb,offset+MPI_LENGTH_INDEX) + MPI_HEADER_SIZE;

 return length ;
 }

 But I get exactly the same result.
 The length returned is the same as before and seems correct to me...

 Thx
 Fabien


 Hi fab12,

 On Fri, Dec 09, 2011 at 08:25:12AM +0100, fa...@freesurf.fr wrote:
 Hello,

 I am having problem using the tcp_dissect_pdus and hope someone can
 help
 me here.

 The documentation seems pretty clear to me and I think I am doing what
 I
 am suppose to do:

 tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 20,
 get_foo_message_len, dissect_foo_packet);


 static guint get_foo_message_len(packet_info *pinfo, tvbuff_t *tvb, int
 offset)
 {
 guint length;
 unsigned char lengthBytes[4];

 tvb_memcpy(tvb, lengthBytes, offset+MPI_LENGTH_INDEX,
 MPI_LENGTH_SIZE/8);
 length = lengthBytes[0] + (lengthBytes[1]8) + (lengthBytes[2]16) +
 (lengthBytes[3]24) + MPI_HEADER_SIZE;

 return length;
 }

 Try to use tvb_get_ntohl or tvb_get_htonl. AFAIA you wanna read some
 kind
 of
 integer from raw data, am I right ?

 Unfortunaty when I open a capture file it is not working properly.
 When I attach to wireshark with a debugger I can see that the behavior
 is
 not the one I expect:

 1. The debugger stop to a first frame which contains the beginning of a
 large message.
 I can see that my get_foo_message_len is called and returns the length
 of
 the complete message.
 2. Then wireshark the process the next frame which contains the
 remaining
 of the message. I can see it calls get_foo_message_len. Is this normal?
 I don't think so and if it is what am I suppose to do since I can't
 retrieve the size of the message the second time.

 Best regards,
 Fabien

 PS: Sorry if this is a duplicate. I tried to send the question already
 yesterday but I can't see it in my outbox so I guess I misclicked...


 ___
 Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
 Archives:http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
  mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

 --
 Best regards,
 Andriy
 0xBDDBDAE3
 ___
 Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
 Archives:http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
  mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe


 ___
 Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
 Archives:http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
  mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe



___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] complex problem

2011-10-18 Thread fab12 
Hello Marcel,

I don't have the solution for your problem but I am basically doing the
same kind of things as you in a plugin dissector.
I do some reassembling probably not in a wireshark standard way and it
seems to work though I think I should have the same problem as you.

In my case the fragments of a given packet may be all in the same
wireshark frame (most of the time) but not always.
What I do is I manage a list of fragment descriptor. Each time I decode a
fragment I create a new descriptor and save it to an ordered list. When I
got the last fragment I do some reassembling.
To avoid to create multiple descriptor for the same fragment I save the
frame number in the descriptor (though I may have used the visited_flag).

For some reason my dissector is only meant to be used from input .pcap
file (not for realtime capture).
I guess you also use .pcap file otherwise you would not have the problem.

It would be useful to had an option in wireshark to request that each time
a new capture file is loaded, it decodes each frame in sequence.
Do wireshark experts thinks it would be too complex?
I tend to think it is not since it merely means applying a filter after
loading the file...

Regards
Fabien


  On Thu, 13 Oct 2011 11:40:01 +0200, Marcel Haas inf...@fh-worms.de
  wrote:
 Hey,
 maybe the problem isnt so complex to solve but its complex for me to
 explain. :)

 I have written my own reassemble code and it seems to work. But i
 have one big problem.
 If i set the filter and click apply, it works,because it goes trough
 every packet.
 And I get my reassemble msg after the packet but if now click at the
 reassemble packet there
 is now reassemble tvb. I know the reason for that cause he interpret
 every packet one on one

 Example:
 Filter is set click at Apply
 Packet: 1 -frag
 Packet: 2 -frag
 Packet: 3 -Reassemble (last frag)
 If i click at Packet 3 he interprets only packet 3. He doesnt see
 packet 1 2
 and so he bulits now Reass Tvb.

 Maybe im calling my function at the worng position.
 Code:

 static void
 dissect_xxx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree){
 ...
 if(tree){
 ...
 }
 // Fragment

 Routine
 if(totalp 1){
 frag_tvb =tvb_new_subset(tvb,offset2,-1,-1); // Get
 the TVB



 big_tvb=ListenElementEinfuegen(NeuesListenElement(snode,pnum,totalp,frag_tvb));
 // Reass Function

 if (big_tvb) { // Reassembled  Big_tvb != NULL
  col_append_str(pinfo-cinfo, COL_INFO,
   (Message Reassembled));
 add_new_data_source(pinfo,big_tvb,Defrag TVB);
  // ADD new Data Source

 } else { // Not last packet of reassembled Short
 Message  Big_tvb == NULL
  col_append_fstr(pinfo-cinfo, COL_INFO,
   (Message fragment %u), pnum);
  col_append_fstr(pinfo-cinfo, COL_INFO,
(Frag:  %u), pinfo-fd - num);
  col_append_fstr(pinfo-cinfo, COL_INFO,
 (Visit:  %u),
 pinfo-fd-flags.visited);
 }

 }
 }

 I hope someone understand my problem and have a good idea/solution :)

 thx and regards
 Marcel

 ___
 Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
 Archives:http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev

 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
  Hey Guys
  still haveing the same problem..
  Nobody have an clue for me ??

  Jeff was saying to put my code before if(tree) if i get i right.. but
  other dissectors use reassembling after if(tree) too.
  Maybe i can conrtol it by pinfo-fd-flags.visited ??

  Regards Marcel
 ___
 Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
 Archives:http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
  mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe



___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] Send info to plugin

2011-10-07 Thread fab12 
Hello,

Is there any way to send some information to a plugin dissector from the
wireshark GUI interface?

For instance using a wireshark menu to set some variable that will be
accessible from the plugin.
Or maybe it is possible to add a menu from the plugin?

Thanks
Fabien



___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Send info to plugin

2011-10-07 Thread fab12 

 On Oct 7, 2011, at 1:19 AM, fa...@freesurf.fr wrote:

 Is there any way to send some information to a plugin dissector from the
 wireshark GUI interface?

 What sort of information?


Typically a filename + Directory where the the plugin dissector would
write some statistic information.

 For instance using a wireshark menu to set some variable that will be
 accessible from the plugin.

 As Anders suggested, you *can* give it global information through a
 preference setting.

 We should probably also add a notion of conversations available to
 dissectors at multiple layers (a notion more general than the current
 address-and-port-endpoint-pair notion, that can include multiple address
 layers, circuits for protocols that have a virtual circuit ID of some
 sort, and conversations at layers above the transport layer), and
 per-conversation settings as well, with Wireshark offering a GUI to let
 you select a conversation and set one or more of a set of
 dissector-specified parameters.

 Or maybe it is possible to add a menu from the plugin?

 A menu item to do what?


I imagine a menu that would open a popup asking to enter the filename +
directory.


___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Decompress Data

2011-10-07 Thread fab12 
I have a example from my plugin if it may help:

unsigned char Ip_Buffer[2000];

/* Get the buffer bytes to decompress */
tvb_memcpy(tvb, Ip_Buffer, (*bitoffset)/8,lgpdubit/8);

/*
 * Decompress it:
 * Decompressed buffer is output in Op_Buffer,
 * size of the decompressed buffer (in bit in this case) in
SizeInBits */
 */
rc = decompress(Ip_Buffer, lgpdubit - ((8-bitnb) % 8), (Op_Buffer),
O_SizeInBits);

/* Now re-setup the tvb buffer to have the new data */
next_tvb = tvb_new_real_data(Op_Buffer, O_SizeInBits/8,
O_SizeInBits/8);
tvb_set_child_real_data_tvbuff(tvb, next_tvb);
add_new_data_source(pInfoG, next_tvb, Decompressed Data);

 /* From here dissect next_tvb from offset 0 */



  On Fri, 7 Oct 2011 13:51:13 +0400, Max Dmitrichenko
  dmitr...@gmail.com wrote:
 2011/10/7 Marcel Haas inf...@fh-worms.de:
 And i have the next problem. Damn wireshark kick my ass :)

 I have some packets witch are compress witz zlib.
 I want to uncompress them.
 I read the dev-guid about transformed data but i dont have a clue.
 I were testing some stuff but with no good result.
 Can someone help me with that ?

 It is simple.
 1) You have to know the size of decompressed data, e.g. in
 buffer_size variable.
 2) Alloc the buffer of needed size for it using e.g. se_alloc, e.g.
 you have pointer to alloced buffer called buffer_ptr.
 3) Decompress you data into that buffer.
 4) call
  child_tvb = tvb_new_child_real_data(current_tvb, buffer_ptr,
 buffer_size, buffer_size);
 5) call
  add_new_data_source(pinfo, child_tvb, Decompressed Data);
 6*) Optionally you can dissect child_tvb as any usual TVB.

 In the GUI you'll get the decompressed data into another tab called
 Decompressed Data or any other name you provide in step 5.

 --
   Max

 ___
 Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
 Archives:http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev

 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
  hmm i dont get it at all .. my code looks like this :

  guint8 *buff;
  tvbuff_t *compress_tvb;
  int captured_size;

  captured_size=tvb_length_remaining(tvb, offset2); //I think that what u
  mean by 1
  buff= g_malloc(captured_size); // step 2 ?
  compress_tvb=tvb_new_real_data(buff,captured_size,captured_size);//
  step 4 ?
  tvb_set_free_cb(compress_tvb,g_free);   // step
  4 ?
  tvb_set_child_real_data_tvbuff(tvb,compress_tvb);  // step
  4 ?
  add_new_data_source(pinfo,compress_tvb,Decompressed TVB); //step 5







 ___
 Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
 Archives:http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
  mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe



___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] Get capture file name

2011-10-03 Thread fab12 
Hello

I made a dissector that so far is used with capture file generated from
traces by a protocol simulator.
So it is not realtime ethernet sniffering.
In the dissector I am gathering data from the read capture file to
generate a new file
with misc information.
Now I need to name and save this file. So far I am using current date and
hard coded default  directory.
It would be much more convenient to save it in the capture filename
directory and name it after it.

So my question is: is there a variable that contains the location and file
name of the capture file?

Thanks
Fabien



___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Access to column N° and time

2011-05-26 Thread fab12 
Actually I meant how to access programmatically.
Eventually I found pinfo-fd-num; and for the time

pinfo-fd-rel_ts.secs
pinfo-fd-rel_ts.nsecs

  fab12@... writes:

 How do I access to the value in the frame number first column in a
 listview?
 frame.number

 Same question for time column.
 Here are the available time display choices:
 frame.time
 frame.time_epoch
 frame.time_delta
 frame.time_delta_displayed
 frame.time_relative

 Also is it possible to change the value in the time column?
 If by value, you mean the format, then yes.  The simplest way is probably
 through View - Time Display Format - ...

 But you can also change the format or even add multiple time formats in
 different columns if you want by adding new time columns through Edit -
 Preferences - Columns - ...



 ___
 Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
 Archives:http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
  mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe



___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] Access to column N° and time

2011-05-25 Thread fab12 
Hello all,

I have some dummy questions for which I have not been able to find any
answer on the web:

How do I access to the value in the frame number first column in a listview?

Same question for time column.
Also is it possible to change the value in the time column?

Thx for your help
Fabien

___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] Set source column address

2011-05-09 Thread fab12 
Hello,

Is there a way to set the source address column?

I tried something like col_append_fstr(pInfoG-cinfo, 2, sourceadd);

and

pInfoG-src.type=AT_OSI;
pInfoG-src.len=1;
pInfoG-src.data=sourceadd;

But none work and I can't find any related info on the web about that

Thx
Fabien

___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Reassembling tvbuff_t

2011-04-28 Thread fab12 
Hi Anders,

I'm not sure the regular reassembling algo presented in README is good for
me because my fragment do not come in sequence.
That is I can receive fragment of packet 2 between 2 fragment of packet 1.

That is why I'm wondering if my algorithm below is correct and especially
the way I use composite buffer. Is this the general spirit?

/* Fragment receipt */
 tvb_memcpy(tvb,data,offset,length)
 frag_buf=tvb_new_real_data(data,length,reported_length)
 Add frag_buf to global fragrment list

/* Upon receiption of the last fragment */
 pckt_buf=tvb_new_composite  (  void  )
 For each frag_buf of same PDU in global fragrment list {
tvb_composite_append(pckt_buf,frag_buf)
 }

/* Then I call my dissector on the reassembled packet. */
tvb_set_child_real_data_tvbuff(tvb, next_tvb);
add_new_data_source(pinfo, next_tvb, Complete PDU);

MyDissector(next_tvb)

/* Do I need to free next_tvp? */
free(next_tvb);


Regards
Fabien

 Hi,
 We have a reassembly API in ~/epan/reassemble.c see also the README files
 in ~/doc
 Regards
 Anders

 -Original Message-
 From: wireshark-dev-boun...@wireshark.org
 [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of
 fa...@freesurf.fr
 Sent: den 27 april 2011 13:38
 To: wireshark-dev@wireshark.org
 Subject: [Wireshark-dev] Reassembling tvbuff_t

 Hi

 I am currently working on a dissector for some proprietary protocol and I
 need to do some reassembling of buffer.
 I am looking for information on how to handle tvbuff_t API.

 I have found this :
 http://wireshark.sourcearchive.com/documentation/1.0.0/tvbuff_8h_aa919b43fdba78f4be4a76aa274e6cce.html#aa919b43fdba78f4be4a76aa274e6cce

 which is useful but I'm not sure to understand it.

 With my protocol I am receiving packet in several fragment.
 The fragment header tells me if it is a head, tail or mid fragment packet.

 I am thinking processing as follows but I am not sure if it is the best
 way or even if it is correct:

 Upon reception of a fragment:  I copy it in a new tvbuff_t and save it in
 some global list:

 tvb_memcpy(tvb,data,offset,length)
 frag_buf=tvb_new_real_data(data,length,reported_length)
 // what is reported_length by the way?
 // Is there a better way to make a buffer copy?
 Add frag_buf to global fragrment list

 Upon receiption of the last fragment
 pckt_buf=tvb_new_composite  (  void  )
 For each frag_buf in global fragrment list {
tvb_composite_append(pckt_buf,frag_buf)
 }

 // Then I call my dissector on the reassembled packet.

 Is this the general idea?

 Thx
 Fabien



 ___
 Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
 Archives:http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
  mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
 ___
 Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
 Archives:http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
  mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe



___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] Reassembling tvbuff_t

2011-04-27 Thread fab12 
Hi

I am currently working on a dissector for some proprietary protocol and I
need to do some reassembling of buffer.
I am looking for information on how to handle tvbuff_t API.

I have found this :
http://wireshark.sourcearchive.com/documentation/1.0.0/tvbuff_8h_aa919b43fdba78f4be4a76aa274e6cce.html#aa919b43fdba78f4be4a76aa274e6cce

which is useful but I'm not sure to understand it.

With my protocol I am receiving packet in several fragment.
The fragment header tells me if it is a head, tail or mid fragment packet.

I am thinking processing as follows but I am not sure if it is the best
way or even if it is correct:

Upon reception of a fragment:  I copy it in a new tvbuff_t and save it in
some global list:

tvb_memcpy(tvb,data,offset,length)
frag_buf=tvb_new_real_data(data,length,reported_length)
// what is reported_length by the way?
// Is there a better way to make a buffer copy?
Add frag_buf to global fragrment list

Upon receiption of the last fragment
pckt_buf=tvb_new_composite  (  void  )
For each frag_buf in global fragrment list
{
   tvb_composite_append(pckt_buf,frag_buf)
}

// Then I call my dissector on the reassembled packet.

Is this the general idea?

Thx
Fabien



___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe