This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tcp_dissect_pdus reassembly not working for fragmented TCP packets

0

Hi,

I'm trying to get a protocol dissector plugin to work on custom wireshark build.As mentioned, in the wireshark documentation I'm using tcp_dissect_pdus for this.In my protocol (over TCP) the 6th and 7th bytes denote the payload length so minimumn bytes needed would be 7 for the getcallpmedmessagelen() method. In network trace (I force simulate fragmentation by reducing MTU size on my linux card),I see both cases ,i.e,fragmented TCP packets and clubbed packets (multiple TCP packets in 1 packet). But my dissector is able to decode clubebd packets and shows them in the same protocol tree (in wireshark display) but fragmented packets are never shown (just prints in column info : "TCP segment of a reassembled PDU"). But if I don't force fragmentation, i.e, if the packets are sent without fragmentation, then the same dissector code works just fine (showing proper info in wireshark display)

Here is my code snippet. Please guide if I'm missing something or is this a problem with tcp_dissect_pdus() API, still.

/* determine PDU length of protocol */
static guint get_callpmed_message_len(packet_info *pinfo, tvbuff_t *tvb, int offset)
{    
    guint len = (guint)tvb_get_letohs(tvb, offset+5);   
    return len;
}

//Top level dissector
static void dissect_callpmed(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree)
{
tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 7,get_kodiakcallpmed_message_len,

dissect_ActualMethod,NULL);
//return 0;
}


//Actual dissector routine
static int dissect_ActualMethod(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* data)
{
proto_item* kodiakcallpmed_item = NULL;
proto_tree* kodiakcallpmed_tree = NULL;
guint32 aLength = tvb_length(tvb);


if((aLength == 0) || (aLength > 3000))
    return -1;

//Set protocol name in PROTOCOL column
col_set_str(pinfo->cinfo, COL_PROTOCOL, PROTO_TAG_callpmed);

/* Clear out stuff in the info column */
col_clear(pinfo->cinfo,COL_INFO);

if (tree) 
{
        .... //Dissecting logic
}



}

asked 01 Jul ‘14, 02:14

puneet30's gravatar image

puneet30
1111
accept rate: 0%

edited 01 Jul ‘14, 02:47

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

Presumably you either meant

static guint get_kodiakcallpmed_message_len(packet_info *pinfo, tvbuff_t *tvb, int offset)
{
…
}

or you meant

    tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 7, get_callpmed_message_len,

dissect_ActualMethod,NULL);
(01 Jul ‘14, 02:50) Guy Harris ♦♦

Looks like a legitimate bug, I was able to reproduce it by splitting the TCP payload of a git capture using https://git.lekensteyn.nl/peter/wireshark-notes/tree/crafted-pkt/replay-chunks.py

(02 Jul ‘14, 12:45) Lekensteyn

Actually, it works fine for me. The script had an error which dropped data. OP, can you provide more details? Like a network capture, your wireshark version and dissector code?

(03 Jul ‘14, 03:57) Lekensteyn

One Answer:

0

Maybe your IPv4 preference to "Reassemble fragmented IPv4 datagrams" is disabled?

answered 03 Jul '14, 08:33

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%