This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Revisiting in split packages

0

Hi, I was wondering about functions for TCP packets (like tcp_dissect_pdus) that need to deal with fragmented packages.

When I had to write a similar thing it completely broke down because of the way packets are revisited after the first pass through; specifically when some packets had to be looked at in the right order for the reassembly to work.

What's the fix for this? Some pre-made func.s clearly know how to deal with this.

asked 15 Jan '15, 09:54

nicole_identity's gravatar image

nicole_identity
11336
accept rate: 0%

It seemed to me that when I had my dissector ignore packets flagged as visited then any results from the original dissection were deleted and those packets came out undissected.

By displaying as the dissection occurred I got something like this happening without the flag check:

Packet A goes in, it's half #1

some other packets are processed, but they are all normal packets so no problems

Packet B goes in, it's half #2

Packet A is combined with packet B and all goes well

Some other packets are revisited and at some point...

The packets that were fragmented get looked at again (unnecessarily, it seems, since the recombination worked the first time around)

Somehow there ends up being a time where the packets are being looked at in inappropriate ways. For example, B being looked at before A and sending out a messaged missing the first half.

Wrong results since the last time A and B were looked at it wasn't done in the right order (even though the first time around was fine)

And then I got something like this with the flag check:

Packet A goes in, it's half #1

some other packets are processed, but they are all normal packets so no problems

Packet B goes in, it's half #2

Packet A is combined with packet B and all goes well

Packets come back but the dissector ignores them

In the end all packets appear black because the data gathered the first time through has been erased

I'll try to word this better in a moment...

(15 Jan '15, 10:46) nicole_identity

One Answer:

0

Dissectors can use the pinfo->fd->flags.visited flag to determine if this is the first time the dissector has seen the frame.

Can you add some more detail to your issue, i.e. exactly what didn't work.

answered 15 Jan '15, 10:20

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

I'm attempting to add more info.

(15 Jan '15, 10:49) nicole_identity