This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

[Help] difference between fragmentation reassembly functions

1

Hi, i have a custom dissector is layered on top of UDP that splits up its own data stream.flag bytes that signals the presence of a multi-packet sequence and also the last packet, followed by an ID of the sequence and a packet sequence number.

packet1:id=1,frag_number=0,more_frags=1
packet2:id=1,frag_number=1,more_frags=1
packet3:id=1,frag_number=2,more_frags=0 (<-- this should complete reassembly)
packet4:id=5,frag_number=11,more_frags=1
packet5:id=5,frag_number=12,more_frags=1
packet6:id=5,frag_number=13,more_frags=0 (<-- this should complete reassembly)

if I use fragment_add_seq_check function packets 1,2,3 reassembled correctly, but packets 4,5,6 aren't reassembled.

if i use fragment_add_check function packets 1,2,3 reassembled incorrectly and hf_msg_fragment_overlap fields is true, and packets 4,5,6 aren't reassembled.

what is my problem? please help me. thanks. my code is like in this question.

the picture of result in the case of fragment_add_check() function is here output result

the picture of result in the case of fragment_add_seq_check() function is here output2

This question is marked "community wiki".

asked 14 Jun '17, 10:55

hhw's gravatar image

hhw
104711
accept rate: 100%

edited 04 Jul '17, 04:33

2

Looking through fragment_add_work() it appears other interesting parameters for fragment_add_check() are:

  • offset
  • frag_offset
  • frag_data_len

Could you add the values of those for each packet (similar to the output in the question)?

(15 Jun '17, 07:38) JeffMorriss ♦
1

in the case of using fragment_add_work(), how can i use frag_id in reassembling?

(15 Jun '17, 10:33) hhw
2

fragment_add_work() isn't an API you can use: it's the internal routine that does the work of fragment_add() and fragment_add_check(). But to debug your problem of course we need to figure out what that routine is doing with your fragments.

(15 Jun '17, 12:55) JeffMorriss ♦
1

excuse me. i dont know how to ues fragment_add_work for adding of those for each packet. i upload my foo.pcap and my code. can you take a look at it. thank you very very much.

my pcak : https://ufile.io/cmxe1

my code :https://ufile.io/ic0er

(16 Jun '17, 03:12) hhw
1

You might want to join the Wireshark developer mailing list for this. I'm not sure how often Jeff and others are visiting this site.

The mailing lists are here: https://www.wireshark.org/lists/

(04 Jul '17, 04:58) Jasper ♦♦

One Answer:

1

See my response on the wireshark-dev mailing list explaining why the reassembly function is behaving as expected and what to change on your side.

answered 04 Jul '17, 14:14

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%