This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Reassembled fragments in custom dissector

hi, i have n number of packet and i have three different message. beginning message , continuation message and end message. when beginning message received i have to store the message and continuation of message alo be included and when it comes to end message i have to reassembled them.

Packet 1 : fragmentation, beginning message(id=1)

Packet 2 : fragmentation, continuation message(id=1)

Packet 3 : fragmentation, beginning message(id=2)

Packet 4 : fragmentation, beginning message(id=3)

Packet 5 : fragmentation, continuation message(id=1)

Packet 6 : fragmentation, end message(id=1)

how can i reassemble these messages in my dissectors?

reassembly reassembled dissector

This question is marked "community wiki".

asked 27 May '17, 21:30

ghader
61●14●16●20
accept rate: 0%

edited 30 May '17, 08:22

JeffMorriss ♦
6.2k●5●72

So how are those three types of message indicated? Is a non-fragmented message one that's marked as neither beginning, nor continuation, nor end? Or is it marked in some other way? What if a message has only two fragments - is one marked as beginning and the other marked as end?

And do the IDs indicate what message is fragmented, so that, with those 6 packets, only the message with an ID of 1 can be reassembled?

(27 May '17, 22:17) Guy Harris ♦♦

in message packets, there is a flag(message type) that indicate type of message(b,c,e).some message has only two fragments - is one marked as beginning and the other marked as end.the IDs dont indicate what message is fragmented. there is a counter in each message that increase each time send a packet.

Packet 1 : fragmentation, beginning message(id=1),n=10

Packet 2 : fragmentation, continuation message(id=1),n=11

Packet 3 : fragmentation, beginning message(id=2),n=15

Packet 4 : fragmentation, beginning message(id=3),n=20

Packet 5 : fragmentation, continuation message(id=1),n=12

Packet 6 : fragmentation, end message(id=1),n=13

(27 May '17, 22:55) ghader

some message has only two fragments

So all messages are fragmented - there's no message type that's "it's all here, no fragments"? Or is that a fourth message type?

In your example, what indicates which message packets 2 and 5 are continuations of, and what message packet 6 is the end of?

(30 May '17, 20:44) Guy Harris ♦♦

One Answer:

Since you didn't say otherwise I'm assuming your custom dissector is in C (rather than Lua).

Fundamentally you want to use the routines in epan/reassemble.{h,c}. From the looks of it you may be able to use the fragment_add() method. You'll need to go through that code and/or other Wireshark code that uses the reassembly code to see how to use them (there's no README that I'm aware of).

answered 30 May '17, 08:21

JeffMorriss ♦
6.2k●5●72
accept rate: 27%