I must admit I am very new to wireshark, but I have read a lot of material of the last few days and this problem has me stumped.
I have written a custom dissector plugin to handle an XCP protocol. This consists of PDUs on TCP and I am using the tcp_dissect_pdus function to handle the reassembly of TCP packets to allow successful dissecting of my PDUs.
I want to add to the info (COL_INFO) column in the GUI the packets contained in the TCP packet (e.g. Packets: 0x1234 - 0x1240). This works as expected except when the TCP packet is reassembled and then I just get the first PDU packet number. What is really strange is that the other PDUs are correctly dissected and added to the tree view at the bottom. I've tried all manner of things to work out what is going on, but figure I need some expert help! ;-)
Any suggestions greatly appreciated!
I also want to add a PDU sequence check (i.e. packet numbers increase monotonically). This is what lead me to this problem in the first place, since I was getting failed sequence check on the reassembled TCP packets.
TBH your code in
As to your problem, I can't see a declaration of offset. That should be declared and initialised in
answered 01 Aug '11, 14:55
With reassembly, your dissector isn't going to be called until TCP has enough data to hand off to your dissector as informed by
You may want to re-read
answered 01 Aug '11, 19:40
Thanks for your responses, much appreciated. I should have mentioned that the code has been hacked about a good few times to test out various theories which is why is looked a mess.
I have re-read the manula items you suggested, but I think maybe I need to clarify the issue a bit further. The reassembly of the packets is working as expected, but it is the calling of the dissect function that I don't quite follow.
Here is my code simplified a bit.
So this bit of code shows the packet numbers in the info column e.g. [0x1234] [0x1235] [0x1236] [0x1237] and in the detailed information I get a breakdown of each XCP packet (4 of them) arranged as XCP Protocol->Header->(Packet Length and Package Counter). This is exactly as I expected for some of the TCP packets.
However, on a packet which indicated [2 Reassembled TCP Segments xxxx] I only get the first packet number e.g. [0x1234]. In the detailed view at the bottom I get the 4 packets I expected.
I could probably live without the packet display in the info column, but when I tried to implement a packet counter check I saw the same issue when checking packet counters across TCP segments in that the packet counter I was checking against was the first one in the reassembled TCP segment rather than the last one.
EDIT: I thought a picture might be useful to see the problem.
Thanks for your support. I've tidied up the code (hopefully) to your liking and removed any unecessary variables. The output is the same as described above and shown in the screenshot.
answered 02 Aug '11, 08:54