Re: [Wireshark-dev] Wireshark dissector development - Reassembly tcp frames

Wed, 05 Nov 2014 07:09:07 -0800 

On Tuesday 04 November 2014 11:48:03 Guillaume Ribière wrote:
> I read the readme.dissector and try using two methods:
> 
>    First method:
> 
>    tcp_dissect_pdus(tvb, pinfo, tree, dns_desegment, 2,
>                get_dns_pdu_len, dissect_dns_tcp_pdu, data);
>            return tvb_captured_length(tvb);

You would use this when your protocol has a well-defined packet message format
where the length of a packet can be determined from the beginning of a message.
Example: SSL has a record length notion. IIRC this will call dns_desegment
multiple times if a packet contains multiple PDUs ("messages").

>    Second method :
> 
>    guint offset = 0;
>        while(offset < tvb_reported_length(tvb)) {
>            gint available = tvb_reported_length_remaining(tvb, offset);
>            gint len = tvb_strnlen(tvb, offset, available);
> 
>            if( -1 == len ) {
>                /* we ran out of data: ask for more */
>                pinfo->desegment_offset = offset;
>                pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
>                return (offset + available);
>            }
> 
[..]
>            offset += (guint)len;
>        }
> 
>        /* if we get here, then the end of the tvb coincided with the end of a
>           string. Happy days. */
>        return tvb_captured_length(tvb);

This can be used if you do not know the length of the data onbeforehand. In the
above example, the a C string is NUL-terminated and you cannot know the full
length until you have read everything.

> But impossible to reassemble the message, I do not understand why ... can
> you help me please? I hope you understand my problem ...: /

What issue are you encountering? Be very careful not to return 0 from a
dissector as it means "I do not know this data, pass it to a different
dissector". If you set desegment_len to a fixed positive value other than
DESEGMENT_ONE_MORE_SEGMENT, then you won't be able to change the segment length
later.
-- 
Kind regards,
Peter
https://lekensteyn.nl

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Reply via email to