I'am writing dissector for protocol over TCP stream which can emit more than one packet per real TCP frame. For example lets assume that we have ethernet tunnel over TCP stream, and one TCP frame of length 15000 bytes (assume the capture with TSO on) can contain five or ten embedded ethernet packets. So I can successfully dissect this stream, can write info about each packet to frame tree. But it is not possible to indicate such packet in frame list. And another case when I try to sub dissect emitted packets by ethernet dissector the system goes crazy and breaks TCP reassemble functionality.
What is a proper way to write such dissector? How can I indicate new frames to frame list? How not to break TCP reassemble functionality when subdissecting nested packets?
The best approach I have found is to dump the emitted packets to another pcap file on dissection and then load it to wireshark. But this is a hard way.
asked 13 Feb '14, 07:41
That's not supported. At some point in the future we might support having multiple ways of viewing the list of packets, with an option to have the list show all packets at a given layer, so that, while the frame list will always be a list of "frames" as defined by the lowest layer protocol in the capture, you could see, instead, a list of reassembled IP datagrams (with one entry per IP datagram, and with the fragments not shown as individual frames) or a list of XXX-over-TCP packets (with one entry per XXX packet, even if there are multiple XXX packets in one frame or one TCP segment or if an XXX packet requires multiple frames or TCP segments), but that's not available now.
How do you determine where an Ethernet packet begins or ends in the TCP byte stream? Do you have a length field before each Ethernet packet? If so, you could use
answered 13 Feb '14, 15:11
Guy Harris ♦♦