This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How dissect two segments of one protocol in the same packet , in the same TCP segment (LUA)?

0

I want to use my bgp dissector to dissect other BGP segments in the same packet. I don´t know how to recall dissection function. Now only dissect the first BGP segment.

I want to do like in the picture example : 3 diferent BGP segment in the same TCP segment.

alt text

asked 04 Jul '16, 04:23

javiguembe's gravatar image

javiguembe
21448
accept rate: 0%

My dissector take all tcp segment as buffer but i need to limit with the BGP segment len and repeat the proccess while tcp segment len >0 . how?

(04 Jul '16, 04:48) javiguembe

2 Answers:

0

EDIT: answer improved according to what @grahamb has pointed in a comment below.

Although borders of PDUs of application protocols using TCP as transport are often aligned with borders of TCP packets, it is not a law, so your dissector should be able to treat the TCP payload as a continuous stream and find the PDUs in it regardless the packet border. So if you finish dissecting a BGP segment and there is still data in the tvb, simply return the length of the part of the tvb you have processed, the TCP dissector will invoke your one again, giving it the rest of the tvb and the proper branch in the dissection tree to hook the result to. And this will repeat until there is either nothing left in the payload to be dissected, or until the remainder of the payload is just the beginning of a PDU.

In the latter case, i.e. if you reach the end of the tvb and your application protocol's PDU is not complete yet, you have to return zero as the number of tvb bytes you could dissect successfully. This tells the TCP dissector that you could not completely dissect the contents of the tvb as it was, and it will prepend this remainder to the payload of the next packet of the TCP stream when invoking your dissector on that packet.

Just to emphasize what is implicitly mentioned above: there are also cases where the capture starts mid-session, so your application protocol dissector should be able to synchronize on the stream also if it starts in the middle of a PDU. I don't know whether it can happen in case of BGP, but if I've understood you well, you've only chosen BGP as a model case.

answered 05 Jul '16, 00:46

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 05 Jul '16, 09:48

For C-based dissectors, they just process each PDU separately, and return the number of bytes they dissected, and the TCP dissector calls sub-dissectors again if there are still bytes left to be processed. Are Lua dissectors not the same?

(05 Jul '16, 01:35) grahamb ♦

There is no reason why it should behave differently for Lua dissectors than for C dissectors (especially as the TCP dissector itself is the same and it doesn't even know whether the dissector it invokes is a C or Lua one), but I wasn't sure whether it cycles through the payload until all of it is dissected or whether it can only handle a single "blind tail". So I'll edit my Answer accordingly.

(05 Jul '16, 09:27) sindy

0

There are many examples and sample Lua scripts available on the Wireshark wiki that you can use to help you solve this problem. For example, the fpm.lua script, written by Hadriel Kaplan and available on either the Lua Examples or Contrib wiki pages, seems to be written to illustrate the exact problem of TCP reassembly in Lua.

Some useful Lua-related links then:

answered 06 Jul '16, 07:57

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%