This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, I'm developing a dissector for a protocol that turn out to be a stream. How do I dissect PDUs which span across multiple packets. Each PDU consist of 2 parts, message and parameters. Parameters consist of few additional PDUs (number can vary from 0 to 255). All PDUs are basically strings, therefore variable in length.

In documentation I found section "2.7.2 Modifying the pinfo struct", where it's described how to deal with such packets. I have devised a function which determines whether we have enough data to dissect a parameter. I check it's output and if there's not enough data I do the following:

pinfo->desegment_offset = offset; pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; return offset;

I see in debugging output that it reaches this stage and returns, but I don't see actual packet re-assembling.

asked 09 Jul '13, 23:33

Andrey's gravatar image

Andrey
21447
accept rate: 50%


I figured it out! I falsely though that you can request more data from Wireshark at any point. But it seem like it conflicts elements you already added to the tree. So I had to implement a function that calculates length of the PDU (by reading same bytes as dissector), in case it finds that expected length is larger than remaining buffer length it asks for another segment. If test succeeds it commences dissecting.

permanent link

answered 12 Jul '13, 01:53

Andrey's gravatar image

Andrey
21447
accept rate: 50%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×78
×18
×4

question asked: 09 Jul '13, 23:33

question was seen: 4,003 times

last updated: 12 Jul '13, 01:53

p​o​w​e​r​e​d by O​S​Q​A