Hi all; We have developed a dissector to analyze a log file filled with TCP packets. Each packet contains one or more messages that are previously specified with starting and ending keywords(bytes). But we faced with a problem. Some messages starts at the end of a packet and continues at the start of the next packet. How can we combine these two parts of bytes and then apply dissection on it? Anyone has an experience with that kind of case? Thanks in advance. asked 16 May '13, 01:26  barisalis |
One Answer:
What you need is reassembly. There are two ways of doing this:
Both options are described in par 2.7 of README.developer If you need more info or help after reading README.developer, feel free to ask :-) answered 16 May '13, 02:08  SYN-bit ♦♦ edited 16 May '13, 02:08 |
For our case; 1) Packet sizes are not fixed. (Packets can contain one or more than one messages inside.) 2) Message lengths are not fixed. (Different lengths for different messages)
So I think we should work on the second option (Modify the pinfo struct to tell the TCP dissector to collect more data.).
What you suggest further?
Can you determine the length of each PDU by reading some part of the header of the PDU? If so, then use tcp_dissect_pdus(). If not, i.e. you have to read to the end of the pdu to determine its length then the 2nd method should be used.
Thanks!! we can see the result as below. But we wonder if there is any way to dissect this reassembled PDU.
2 Reassembled TCP Segments (160 bytes): #5641(20), #5643(140)
Frame: 5641, payload: 0-19 (20 bytes)
Frame: 5643, payload: 20-159 (140 bytes)
Segment count: 2
Reassembled TCP length: 160
The problem is perfectly solved. Thanks for your quick help.