Greetings, I am working on a plugin that dissects TCP streams generated between systems that communicate with each other using Visage Standard Messaging Format (VSMF). I am using the Conversation API to track the streams because its follow-on packets could be either compressed or uncompressed. I am also using a technique similar to this question for reassembling the fragments because, if not, my decompressing as well as my dissecting won't work. So far, I've been successful except I seem to be experiencing the same issues @hudac ran into in his question above, and it doesn't appear that he had his question answered. By that, I mean he was told what was happening, but no method to circumvent it was mentioned. If using tcp_dissect_pdus(), which makes the protocol run atop TCP, means that there is no guarantee that packet boundaries for your protocol will correspond to TCP segment boundaries, then what method can I use to allow my plugin to run under TCP in order for it to reassemble the fragments into a complete segment for my plugin? I'm almost certain that I may not be able to use PDU to assist in reassembly because I don't know that there is a size value in the first bytes of each PDU (according to SYN-bit who mentions it here). Thanks in advanced. asked 13 Apr '16, 19:11  coloncm edited 13 Apr '16, 19:53 |
One Answer:
So problem is that you'd like to use First, I'd make sure there's no message length towards the beginning of the packet: if there is your life will be much easier. If not then you'll have to tell Wireshark when to do desegmentation; look in Note that it is possible to use tcp_dissect_pdus() together with manually setting answered 14 Apr '16, 06:39  JeffMorriss ♦ edited 14 Apr '16, 12:28 |
@JeffMorriss, thank you for your input.
After reading the portion of the README.dissector you suggested, I discovered that reassembling a PDU is not my issue, but the dissection of multiple PDUs across a single packet. My plugin is being called to dissect each PDU independently of each other, and I'm not sure if it is what I really want it to do. I guess, I'd have to understand what is a PDU within a packet in terms of the conversation between the systems (TCP stream). Could you explain?
The way we generally talk about things in Wireshark is like this:
So:
tcp_dissect_pdus()deals with 1-4 for you so your dissector doesn't have to worry about PDU boundaries when TCP is the transport. As you said, your dissector does some setup work (telling TCP the PDU lenght) and thentcp_dissect_pdus()will call your dissector for each PDU.If you want Wireshark to call you for each frame then just don't use
tcp_dissect_pdus(). But then you'll have to deal with 1-4 yourself.I see. So, a PDU is a single transmission, already reassembled if sent in fragments, sent from one node to another, and not a frame with respect to TCP streams. Which means that my dissector, which currently parses each PDU separately, is actually doing it correctly. I just need to ensure what it's getting gets parsed as a single "message" (VSMF in this case) according to the established architecture. Am I understanding this correctly?
Yes, that sounds about right. Really to check if things are working correctly you need to make sure it works in all of the 4 conditions listed above--that means verifying that it works when a frame has one PDU (common case, easy), when a frame has 2+ PDUs, when a PDU is spread across 2+ frames, etc.