This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dissecting stream

0

Hi, I'm developing a dissector for a protocol that turn out to be a stream. How do I dissect PDUs which span across multiple packets. Each PDU consist of 2 parts, message and parameters. Parameters consist of few additional PDUs (number can vary from 0 to 255). All PDUs are basically strings, therefore variable in length.

In documentation I found section "2.7.2 Modifying the pinfo struct", where it's described how to deal with such packets. I have devised a function which determines whether we have enough data to dissect a parameter. I check it's output and if there's not enough data I do the following:

pinfo->desegment_offset = offset; pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; return offset;

I see in debugging output that it reaches this stage and returns, but I don't see actual packet re-assembling.

asked 09 Jul '13, 23:33

Andrey's gravatar image

Andrey
21447
accept rate: 50%


One Answer:

0

I figured it out! I falsely though that you can request more data from Wireshark at any point. But it seem like it conflicts elements you already added to the tree. So I had to implement a function that calculates length of the PDU (by reading same bytes as dissector), in case it finds that expected length is larger than remaining buffer length it asks for another segment. If test succeeds it commences dissecting.

answered 12 Jul '13, 01:53

Andrey's gravatar image

Andrey
21447
accept rate: 50%