Just before starting, sorry for my english... i'm french.
I'm developing (in C language) a wireshark dissector to dissect a specific protocol to the company (it's owner of it) where I work but I have a problems when messages are several TCP frames ... I can not reassemble the messages when a message is broken into two different frames TCP, I can not reform it in one message...
I read the readme.dissector and try using two methods:
First method:
tcp_dissect_pdus(tvb, pinfo, tree, dns_desegment, 2,
get_dns_pdu_len, dissect_dns_tcp_pdu, data);
return tvb_captured_length(tvb);
Second method :
guint offset = 0;
while(offset < tvb_reported_length(tvb)) {
gint available = tvb_reported_length_remaining(tvb, offset);
gint len = tvb_strnlen(tvb, offset, available);
if( -1 == len ) {
/* we ran out of data: ask for more */
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return (offset + available);
}
col_set_str(pinfo->cinfo, COL_INFO, "C String");
len += 1; /* Add one for the '\0' */
if (tree) {
proto_tree_add_item(tree, hf_cstring, tvb, offset, len,
ENC_ASCII|ENC_NA);
}
offset += (guint)len;
}
/* if we get here, then the end of the tvb coincided with the end of a
string. Happy days. */
return tvb_captured_length(tvb);</code></pre><p>But impossible to reassemble the message, I do not understand why ... can you help me please? I hope you understand my problem ...: /</p></div><div id="question-tags" class="tags-container tags"><span class="post-tag tag-link-reassembly" rel="tag" title="see questions tagged 'reassembly'">reassembly</span> <span class="post-tag tag-link-dissector" rel="tag" title="see questions tagged 'dissector'">dissector</span> <span class="post-tag tag-link-help" rel="tag" title="see questions tagged 'help'">help</span> <span class="post-tag tag-link-tcp" rel="tag" title="see questions tagged 'tcp'">tcp</span> <span class="post-tag tag-link-wireshark" rel="tag" title="see questions tagged 'wireshark'">wireshark</span></div><div id="question-controls" class="post-controls"></div><div class="post-update-info-container"><div class="post-update-info post-update-info-user"><p>asked <strong>04 Nov '14, 04:47</strong></p><img src="https://secure.gravatar.com/avatar/6e41ef358edbaa0233d30fbd5b41b4d1?s=32&d=identicon&r=g" class="gravatar" width="32" height="32" alt="Guillaume's gravatar image" /><p><span>Guillaume</span><br />
1●1●1●2
accept rate: 0%
Nobody can help me please ?
You’re not really giving anyone a chance to help. You must describe in more detail what happens with the two methods, as they are both used successfully elsewhere in the code.
The first method is definitely the easiest as long as you have correctly created the
get_dns_pdu_len()function. Have you tried debugging the code to check that function returns the expected value?Thank grahamb for your answer!
I will try to explain you… So, my problem is to reassemble the packets between them. To illustrate this, see “picture1.png” (in the end of this message) which shows the packet number 8 should be following the packet number 6. As you can see the number 6 is malformed packet because its sequel is in the number 8 … I can not get them together to make one cut and the entire message …
To reach the result of “picture1.png” I’ll put the code I use. “choixMessageASA” allows according to the header frame of the ASA (the protocol that I have to decode) to know what message travels :
if (tree) {
I hope you can help me :/
picture1.png :
Why don’t you use tvb_dissect_pdus? It would be much simpler. The code should be something like this:
where get_asa_pdu_len() is:
Thanks for your answer and sorry for my late reply …
I tried the way you speak with tvb_dissect_pdus but the result is the same, I get the same thing as “picture1.png” I set in my previous message … Do not you know how to meet the frames 6 and 8 (those of “picture1.png”) and dissect the whole frame assembled?
One small thing reassembly and code adding to columns shouldn’t be under “if (tree) {” as allwas should be executed.
Thank you Anders for your answer but I do not know what you mean … is it possible showing me what would be the code please?
You thought that because it gives me the same thing:
Higer up in the post before the code box you have
I’m sorry, I did not understand what you meant! I succeeded to make it work according your advice, thank you!
Quick question, how can I customize the “length” column to display the length of the reassembled message and not the length of the normal message?
Use something like
col_add_fstr(pinfo->cinfo, COL_PACKET_LENGTH, “%i”, new_length);, but be very careful about this, all Wireshark users and code expect the length column to contain the length of that frame, not reassembled length from subsequent frames. You would be better adding the length as a field in the packet tree and possibly in the “Info” column.The changes made to the hiqnet dissector here show how simple it is to do reassembly when using tcp_dissect_pdus().
I have already tried this method but I have two warnings during compilation :
warning C4020: ‘tcp_dissect_pdus’ : too many actuals parametersbut if I remove the “data” parameter at the end oftcp_dissect_pduthe warning disappears…warning C4013: ‘tcp_captured_length’ undefined; assuming extern returning intwhile i imported the correct files…This is why I have not used this method even if it is faster :/
Are you using an older version of source code, rather than trunk (or 1.12)?
The
dissector_dataparameter was added totcp_dissect_pduslast year:Did you actually use
tcp_captured_lengthin your code or is that just a typo in your comment? It should betvb_captured_lengthand that was added earlier this year:I use an an older version is why the
tcp_dissect_pdusdoes not work with the data parameter! You’re right!For
tvb_captured_lengthis a typo from me in my comment for thetcp.. Maybe the warning is there because I do not have the latest version of Wireshark.Anyway, thank you all for your answers, it has been of great help!