User guide

ManualsBrandsWireshark Manualsaudio & home theatre- 0.99.7

121

122

123

124

125

126

127

128

129

130

&ett_msg_fragment,

&ett_msg_fragments

...

These hf variables are used internally within the reassembly routines to make useful links, and to

add data to the dissection. It produces links from one packet to another - such as a partial packet

having a link to the fully reassembled packet. Likewise there are back pointers to the individual

packets from the reassembled one. The other variables are used for flagging up errors.

9.4.2. How to reassemble split TCP Packets

A dissector gets a tvbuff_t pointer which holds the payload of a TCP packet. This payload contains

the header and data of your application layer protocol.

When dissecting an application layer protocol you cannot assume that each TCP packet contains ex-

actly one application layer message. One application layer message can be split into several TCP

packets.

You also cannot assume the a TCP packet contains only one application layer message and that the

message header is at the start of your TCP payload. More than one messages can be transmitted in

one TCP packet, so that a message can start at an abitrary position.

This sounds complicated, but there is a simple solution. tcp_dissect_pdus() does all this tcp

packet reassembling for you. This function is implemented in epan/dissect-

ors/packet-tcp.h.

Example 9.19. Reassembling TCP fragments

#ifdef HAVE_CONFIG_H

# include "config.h"

#endif

#include <epan/packet.h>

#include <epan/emem.h>

#include <epan/dissectors/packet-tcp.h>

#include <epan/prefs.h>

...

#define FRAME_HEADER_LEN 8

/* The main dissecting routine */

static void dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)

{

tcp_dissect_pdus(tvb, pinfo, tree, TRUE, FRAME_HEADER_LEN,

get_foo_message_len, dissect_foo_message);

}

/* This method dissects fully reassembled messages */

static void dissect_foo_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)

{

/* TODO: implement your dissecting code */

}

/* determine PDU length of protocol foo */

static guint get_foo_message_len(packet_info *pinfo, tvbuff_t *tvb, int offset)

{

/* TODO: change this to your needs */

return (guint)tvb_get_ntohl(tvb, offset+4); /* e.g. length is at offset 4 */

}

...

As you can see this is really simple. Just call tcp_dissect_pdus() in your main dissection

routine and move you message parsing code into another function. This function gets called

Packet dissection

113