hi, so i am developing a dissector for decoding a specified protocol atop udp. so the whole data is in the pdu of udp. so i cannot show you the code because of it is not allowed to me! so i describe. There was another reassemble problem here in the askings by chris: so i looked and tryed anything but it does not work. ok, for example there are four packets noticed. these four belong together. so they have an sequence id which i am using in frag_msg for reassembling. More Over in the protocl is specified a msg_number and a total number. in example case these on is 4. so now i want to reassemble these 4 packets with the same sequence id. so i get 4 fragments. YES??? ok my code gets 4 packets but never i see in the info column "Reassembled Message"? so the packets have some header stuff which i hang on the display tree and after a few steps my reassemble code is used. now in the packet its possible that maybe one block beginning in the first packet has 3000byte. so in the first there are maybe 800 byte i have to decode in the following way. After the header there is a blockinfo with how much byte it does have and so on. If this bytecount is longer than the packet i have to use the payload of the second packet. so i thought reassembling puts me the wohle rest of every payload of the "linked" packets to this new_tvb and shows "Reassembled message", but this does not work. but for correct decoding i have to get all of these payload in ones because of how i described one block can "overlap" in to the payload of the next package. so some more information: before reassembling i put the header infos and other stuff to the visible tree in wireshark and after this i reassemble. My whole dissecting code is just in one dissect function? Could this be the problem? Do i have to first reassemble and then calling a new one dissector?? i dont know, 3 weeks of working so hard and i does not have any idea. One more to reassemble. How i can make it possible to add links between the fragments that are belonging together, so the first packet should have a link in the dissector tree to the second packet, you know? so after all, my dissector is written as a plugin it isnt a build in! sorry for bad englisch if something missing to understand it completely plz answer also! plz help me!!! one thing to add. how can i change the highlight colors in wireshark. so maybe if i have packet of this type i want green backing. is there any possibility to set these colours within the dissector so something like if message reassembled -> backing color = green thanks a lot!!!! asked 15 Dec '11, 07:38  Anthracis edited 15 Dec '11, 07:47 |
One Answer:
Since we cannot see your code, and your description is 'complex', I would recommend to look at the RTP dissector. It runs on top of UDP and has reassembly build in. You can learn and copy from that. answered 15 Dec '11, 15:22  Jaap ♦ thx so far i will have a look at (19 Dec '11, 02:49) Anthracis |
i had forgotton. my control if more fragments are avaible ist something like this:
msg_number < total_number
so it should work but it doesnt!