This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I am writing a dissector and I would like to recover some information contained in a packet A, which is sent first, and pass it to a packet B. For example, sometimes my protocol have fragmented data (the B packet may be too large and is then concatenated into several smaller packets) but the information on how this packet is fragmented is embedded in the previous packet (the packet A). Hence, I would like to save these fragmentation parameters from packet A and use them to recover (to defragment) the packet B. Is this possible ?

Thank you for your help!

asked 21 Aug '13, 01:22

Afrim's gravatar image

Afrim
160101116
accept rate: 22%


Take a look at reassembly.[ch] in the epan dir. Read readme.dissector (TCP reassembly) and check out dissectors using the reassembly interface. If you need to preserve information between packets the conversations interface my be what you need possibly paired with "p_get_proto_data()". Note that packets are only read sequentially on the first pass after that a packet may be accessed randomly.

permanent link

answered 21 Aug '13, 07:52

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

Hi Anders,

Reassembly is not a problem I already succeeded in data reassembling but the fragmentation parameters were within the packet. I have seen the conversation interface in some protocols (SMTP) and I wasn't sure if it was what i needed. Also I tried "p_get_proto_data()" but not paired with conversation interface (It was definitely useless since pinfo is cleared for every packet).

I will take a look at the conversation interface.

Thank you for your answer.

(21 Aug '13, 08:23) Afrim

Well, conversation interface seems to be what I need but something is wrong when I try to use it. Like I said on my first post I have two packets (lets say A and B) the information I want to save is in packet A so when Packet A is detected in my protocol I save informations using :

conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0);

And then when Packet B is detected I call :

find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0);

But this always return NULL value.

Ofc I call conversation_add_proto_data() to save the data I want to reuse in Packet B.

Did I missed something ?

EDIT : Ok I found my msitake problem resolved :)

EDIT2 : I was setting short addresses with 4 bytes instead of 2. The 2 more bytes were not equal in packet A and packet B so when I pass src/dst addresses in create/find conversation it fail ofc.

permanent link
This answer is marked "community wiki".

answered 27 Aug '13, 07:29

Afrim's gravatar image

Afrim
160101116
accept rate: 22%

edited 27 Aug '13, 12:27

So for the benefit of others what was the mistake?

Please edit your "answer" with the correct solution.

(27 Aug '13, 10:01) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×205
×122
×7
×2

question asked: 21 Aug '13, 01:22

question was seen: 2,181 times

last updated: 27 Aug '13, 12:27

p​o​w​e​r​e​d by O​S​Q​A