This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I dump fragmented packets to multiple files?

I have to read a capture file and dump its packets to multiple files, according to several field values of the packets. In order to do that, I have created a postdissector using Lua to extract the field values of the packets.

The problem is with the fragmented packets. These packets are divided in several frames and the "Fragmented" frames don't have the necessary field values in order to dump them in the correct file. And if I ignore the fragmented packets, I will have the result below.

In the following image I have the frames of the source capture file. Look as one of the packets is fragmented in frames 8 and 9.

alt text

In the following image I have the frames of the result pcap. As I ignored the fragmented frame in the original capture file, in the result file I have a fragmented packet without the required information, as shown in the source file, packet 9. alt text

So I would like that my result pcap would contain the same packets as the source pcap. I don't know if the "ip.reassembled_in" field could be useful, as it could allow me to associate the "Fragmented" frame to the frame with the information I need. But as this frame with the information appears always after the fragmented frame, maybe I could keep the fragmented frame temporarily in a array, and after that, when the frame with the information was reached, I could associate them, bring the fragmented frame and dump both to a file, but I don't know how I can keep a frame and after dump it to a file.

Do you know how to do that or any way to solve my problem with the fragmented packets?

multiple-files lua fragmentation dissector dump

asked 23 Feb '15, 07:58

nn15
1●1●1●2
accept rate: 0%

edited 23 Feb '15, 09:41

The question should be: do you need all the complete frames with (the possible fragmented) data, or do you need frames with (the possible reassembled) data? The former is tricky, the latter should be doable.

(23 Feb '15, 08:15) Jaap ♦

Ideally I would like to obtain all the complete frames with the possible fragmented data, but if I can not do that, the frames with the reassembled data would be an acceptable result.

(23 Feb '15, 09:04) nn15

One Answer:

[This is an old question, but since no one's answered it yet...]

Saving the fragments in a Lua table won't work very well - for one thing, the Tvb and Pinfo objects passed into the proto.dissector() function are not safe to keep around past the life/scope of the proto.dissector() function; and if you extracted all of it into something that is safe to keep around (like ByteArrays and strings and so on) that would be a lot of data.

But you don't need to do that - what you need is to have the packets dissected or tapped twice. The first time to figure out which SIP messages you want to export to which files, and to let the IP fragments be associated with each other; and the second time to export the IP packet frames to the relevant file, based on the decisions of the first time.

In Wireshark (not tshark) you can force the packets to be re-tapped again with the retap_packets() function, which also makes them be dissected again. In tshark the packets will be processed twice if the -2 command line option is used, but I'll assume you only need Wireshark support not tshark.

The "trick" is to know when to invoke retap_packets() in your Lua script, and one way to do so is to create a Listener tap and define its listener.reset() function to call retap_packets(). Since the listener.reset() function is invoked by Wireshark at the end of the capture file, calling retap_packets() at that time will do it all again. (you may need to prevent retap_packets() from being invoked again and again, so wrap it in a if-then with a boolean) Another way to do it is if your Lua script creates a GUI menu item to trigger this exporting, then you can just invoke retap_packets() inside the menu item's callback function.

So once you decide how you want to proceed with that model, you could use the "ip.reassembled_in" field of every packet and match the value to a Lua table of SIP packets you want to export - a Lua table which you created in the first pass based on the pinfo.number of the SIP messages you want. Or you could do the reverse: keep a Lua table of all the packet numbers you want to export by using the "ip.fragment" field in the SIP packets you want to export, and query the table in the second pass using pinfo.number) of every packet.

answered 28 Jun '15, 10:37

Hadriel
2.7k●2●9●39
accept rate: 18%