I'm starting to dig into the details of some capture files and have been humbled by the gaps in my knowledge that have been exposed in this process. I am using a Lua dissector for a protocol (call it MYPROTO) that is conveyed via TCP. I was puzzled by some extremely large TCP segments in the capture, but now understand that multiple MYPROTO PDUs can be carried in a single TCP segment. However, the Lua dissector only shows one MYPROTO PDU. (I'm still puzzled by the underlying question of why some segments are extremely large while others are not, but I can put that aside while I look to solve the dissector problem.)
I have been reading about reassembly, which I understand to mean the process of reassembling higher-level PDUs that may cross multiple TCP segments. If I modify the dissector to support reassembly, will the same mechanism allow the dissector to discover multiple MYPROTO PDUs within a single TCP segment?
asked 07 Mar '14, 04:35
edited 07 Mar '14, 04:43
Not the last time I checked. I believe you have to write your dissector function with a loop internally, to handle the case of there being multiple of your protocol messages inside a single TCP segment. I could be wrong, but I don't believe wireshark will call your dissector function multiple times for the same TCP segment (or at least it didn't use to, though that may have changed). That should be easy enough for you to test though, and report back here with an answer. :)
Regardless, if your dissector doesn't use one of the two reassembly mechanisms/models, then wireshark has no idea how much of a segment(s) your protocol message consumed, since there's no inherent message framing inside TCP. So you at least have to use one of the reassembly models to handle the fact any given protocol message may cross one or more segment(s).
answered 07 Mar '14, 05:10