This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I'm willing to build a dissector able to reassemble PDUs spanned accross multiple UDP packets. My protocol have sequence/fragment IDs/total length, so there's everything needed to reassemble properly.

If i'm not mistaken there's no automated assembly mechanism like for TCP within the API ( pinfo.desegment_len etc). So I take it I would have to implement a manual re-assembly.

But how can I pass data between 2 frames / dissector calls ? Tvb can only be declared/used in a dissector so can't store my fragment in a tvb variable. I tried to store it in a ByteArray and then use bytearray<->tvb conversions methods with no luck, wireshark crashes, probably because of ByteArray's maximum sizes (overflow)

Also, whilst a manual re-assembly might work on a first pass, how about random access when clicking ?

Any suggestions ?

Thanks

asked 13 Dec '13, 05:39

lepolac's gravatar image

lepolac
16446
accept rate: 0%


Basically you will need to implement the same re-assembly routines in your protocol dissector as are implemented in the IP and the TCP dissector. Have a look at the support functions for reassmbly that can be found in "epan/reassemble.h" and how they are used in the IP and TCP dissector.

permanent link

answered 13 Dec '13, 06:39

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Oops, just realized you are using Lua instead of C. Not sure how many support routines there are in Lua regarding reassembly...

(13 Dec '13, 06:40) SYN-bit ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×431
×78

question asked: 13 Dec '13, 05:39

question was seen: 2,867 times

last updated: 13 Dec '13, 06:40

p​o​w​e​r​e​d by O​S​Q​A