I am working on a plugin that dissects TCP streams generated between systems that communicate with each other using Visage Standard Messaging Format (VSMF). I am using the Conversation API to track the streams because its follow-on packets could be either compressed or uncompressed. I am also using a technique similar to this question for reassembling the fragments because, if not, my decompressing as well as my dissecting won't work.
So far, I've been successful except I seem to be experiencing the same issues @hudac ran into in his question above, and it doesn't appear that he had his question answered. By that, I mean he was told what was happening, but no method to circumvent it was mentioned.
If using tcp_dissect_pdus(), which makes the protocol run atop TCP, means that there is no guarantee that packet boundaries for your protocol will correspond to TCP segment boundaries, then what method can I use to allow my plugin to run under TCP in order for it to reassemble the fragments into a complete segment for my plugin? I'm almost certain that I may not be able to use PDU to assist in reassembly because I don't know that there is a size value in the first bytes of each PDU (according to SYN-bit who mentions it here).
Thanks in advanced.
asked 13 Apr '16, 19:11
edited 13 Apr '16, 19:53
So problem is that you'd like to use
First, I'd make sure there's no message length towards the beginning of the packet: if there is your life will be much easier.
If not then you'll have to tell Wireshark when to do desegmentation; look in
Note that it is possible to use tcp_dissect_pdus() together with manually setting
answered 14 Apr '16, 06:39
edited 14 Apr '16, 12:28