This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dissect question: how to dissect protocol that has fragment packets

0

Hi there,

I'd like to dissect a protocol which could be captured by fragment packets. I hit a problem while doing re-assemble using the dissector. I found the wireshark normally load only parts of the captured file (not all of the captured packet) and only dissect a packet when I navigate to a particular row. That brings me an issue, as I drag the progress bar with the mouse to some later position of the captured file, it is possible that only packet (N ~ M) are displayed while packet N is the latest part of a reassembled PDU, that makes the dissector could not work since wireshark does not put packet number less than N being dissected. Is there any expert give me some clue on how to work this out?

Thanks, Jianhui

asked 06 Jan '15, 01:58

Jianhui's gravatar image

Jianhui
6224
accept rate: 0%

One Answer:

0

See doc/README.dissector, in the source tree, section 2.7 Reassembly/desegmentation.

answered 06 Jan '15, 03:37

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Hi grahamb,

Thanks for the quick response! I may not explain my issue correctly. I could work with segment/reassembly without problem (as long as those packets are loaded and dissected). The issue is when I open a captured file and scroll to the end of the captured file, I found wireshark does not call dissect_packet for each packet, but just those packet that is visible to the TreeView. This leads to the 1st visible packet could not be dissected correctly as it contains only later part of the whole PDU.

Thanks, Jianhui

(06 Jan '15, 19:12) Jianhui

Hi grahamb,

My intention is to show the 'last fragment' packet in the TreeView COL_INFO as "[Fragment]", but when I scroll back several packets and the rest part of the PDU is being dissected I can update the COL_INFO of the 'last fragment' packet's COL_INFO to something else.

Is there a way that I could go back and update the Info column of a packet, for example when its selected in the GUI and re-dissected, so I can correct COL_INFO of that packet?

Thanks, Jianhui

(06 Jan '15, 19:18) Jianhui

The file is read in sequence (all packets) only on the first pass. Writing to columns and reassembly code must not be under if(tree) as a tree may not be available. Some reassembly code may have to be protected by (pinfo)->fd->flags.visited or PINFO_FD_VISITED(pinfo)e.g only done once.

Hope this helps.

(07 Jan '15, 01:00) Anders ♦