Hello to all,
I write a dissector for my protocol that reassebles multiple fragmet packets of 60 Kbytes each. For each fragment, a message (Message Reassembled) appears in the info column of Wireshark. For the last fragment (the reassebled packet) in info column the text [Illegal Message fragment] (Message Reassembled) appears. Here I have to note that the message is correctly reassebled. Obviously the reassebly routine runs before if (tree).
Diging more the error flags of the fragment I found that 1 error occurs (FD_TOOLONGFRAGMENT) even in very small reassebled messages.
Example with 3 fragments:
1: Fragment ID = 1, Sequence number = 1, Last fragment flag = 0
2: Fragment ID = 1, Sequence number = 2, Last fragment flag = 0
3: Fragment ID = 1, Sequence number = 0, Last fragment flag = 1
My questions:
1) For every fragment the message (Message Reassembled) in the info column is correct?
2) Why the message [Illegal Message fragment] (Message Reassembled) appears for the last fragment?
3) Why FD_TOOLONGFRAGMENT error occurs in reassebly?
Here is a snapshot of my code
if (fragment == FRAME_FRAGMENT)
{ /* fragmented */
tvbuff_t* new_tvb = NULL;
fragment_data *frag_msg = NULL;
// Read the packet id
msg_seqid = tvb_get_letohs(tvb, offset);
offset += 2;
// Read the fragment id
msg_num = tvb_get_letohs(tvb, offset);
offset += 2;
fragment_length = tvb_get_letohl(tvb, offset) & 0xFFFFFFF;
offset += 4;
pinfo->fragmented = TRUE;
if ((flags & FRAME_LAST_FRAG) == FRAME_LAST_FRAG)
last_fragment = TRUE;
else
last_fragment = FALSE;
// The current reassembly functions has deep rooted assumptions that the
// first fragment of a packet has sequence number (msg_num) = 0
// In PCAP file you must first write all the fragments of the packets and
// finally the 1st fragment of the packet. The 1st fragment of the packet (last
// in the PCAP file) should have msg_num = 0 and last_fragment = TRUE
// Check if this is the last fragment (last_fragment == TRUE and msg_nub == 0)
frag_msg = fragment_add_seq_check(tvb, offset, pinfo,
msg_seqid, /* ID for fragments belonging together */
fragment_table, /* list of message fragments */
reassembled_table, /* list of reassembled messages */
msg_num, /* fragment sequence number */
tvb_length_remaining(tvb, offset), /* fragment length - to the end */
!last_fragment); /* More fragments? */
new_tvb = process_reassembled_data(tvb, offset, pinfo, "Reassembled Message", frag_msg, &msg_frag_items, NULL, pvs_frame_tree);
if (frag_msg)
{ /* Reassembled */
col_append_str(pinfo->cinfo, COL_INFO, " (Message Reassembled)");
}
else
{ /* Not last packet of reassembled Short Message */
col_append_fstr(pinfo->cinfo, COL_INFO, " (Message fragment %u)", msg_num);
}
if (new_tvb)
{ /* take it all */
next_tvb = new_tvb;
}
else
{ /* make a new subset */
next_tvb = tvb_new_subset(tvb, offset, -1, -1);
}
}
else
{ /* Not fragmented */
next_tvb = tvb_new_subset(tvb, 0, -1, -1);
}
pinfo->fragmented = save_fragmented;</code></pre></div><div id="question-tags" class="tags-container tags"><span class="post-tag tag-link-reassembly" rel="tag" title="see questions tagged 'reassembly'">reassembly</span></div><div id="question-controls" class="post-controls"></div><div class="post-update-info-container"><div class="post-update-info post-update-info-user"><p>asked <strong>07 Jun '12, 08:10</strong></p><img src="https://secure.gravatar.com/avatar/a316969e99cc919815d47ae1fc022a55?s=32&d=identicon&r=g" class="gravatar" width="32" height="32" alt="andapo's gravatar image" /><p><span>andapo</span><br />
1●2●2●3
accept rate: 0%
