Ask Your Question
0

TCP reassembly - How do you determine the PDU length when there is no length field?

asked 2019-10-08 14:01:19 +0000

Kim gravatar image

Assuming one message that gets split into multiple TCP packets of length 10 bytes. Foo format contains the type of message but there is no length field. Foo contains a text field which could be variable. The end of the message is marked. { return MAX_MESSAGE_LEN }

dissect_foo(...) { tcp_dissect_pdus(...get_foo_pdu_length...) }

Please provide an example where the user needs to determine the length of the PDU and there is no length field. All your examples have a length field in the protocol.

edit retag flag offensive close merge delete

Comments

As all our examples have a length field, ergo we have no examples without a length field.

How does the application receiving the traffic determine the length of the PDU, I don't understand your comment

The end of the message is marked. { return MAX_MESSAGE_LEN }

grahamb gravatar imagegrahamb ( 2019-10-08 14:53:28 +0000 )edit

1 FOO message contains 125 bytes.

FOO PROTOCOL  HEADER (8 BYTES) TEXT (125 BYTES) END OF TEXT DELIMITER (1 BYTE)

TCP splits it into 12 segments.

The text field can be variable. Let's assume 125 bytes for now. Max is 1700.

I am having trouble with the PDU size. What should get_foo_message_len return?

tcp_dissect_pdu()

1st call  return PDU length - 1700
2nd call  return PDU length - 1690
3rd call return PDU length - 1680
4th call return PDU length - 1670
5th call return PDU length - 1660
6th call return PDU length - 1650
7th call return PDU length - 1640
8th call return PDU length -  1630
9th call return PDU length - 1620
10th call return PDU length - 1610
11th call return PDU length - 1605
12th call return PDU length - 1600
13th call return PDU length - 0 (Message should be reassembled at this point.
Call dissect_foo_message(...)
Kim gravatar imageKim ( 2019-10-08 15:26:24 +0000 )edit

Off topic, but how does the PDU get fragmented so badly across multiple, very small, TCP segments?

grahamb gravatar imagegrahamb ( 2019-10-08 17:05:07 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2019-10-08 17:50:03 +0000

Guy Harris gravatar image

How do you determine the PDU length when there is no length field?

Perhaps you don't. For HTTP, for example, there's no length field for the HTTP header - it continues until there's a blank line - so reassembling HTTP requests and replies doesn't use tcp_dissect_pdus(). The routine that does reassembly for "request/response protocols", meaning "protocols that work somewhat like HTTP", req_resp_hdrs_do_reassembly() handles the blank-line terminator for the header and the Content-Length header for the body.

tcp_dissect_pdus() is for protocols where 1) there's a minimum length for a PDU and 2) if you have that many bytes of data from the beginning of the PDU, you can determine the length, either by extracting it from a length field, or by looking at the PDU type and determining the length based on that, or some other such mechanism.

There's currently no built-in mechanism to handle reassembly of arbitrary protocols where the length is determined by a terminator, so you'd have to implement reassembly yourself. Sadly, there's not much in the way of helper routines or documentation for how to do that. You might get some hints by looking at the way that req_resp_hdrs_do_reassembly() handles reassembling the HTTP header.

edit flag offensive delete link more
0

answered 2019-10-08 17:04:07 +0000

grahamb gravatar image

There is minimal documentation on doing things this way, but it seems that if your get_foo_pdu_length() function returns 0 then the tcp dissector will reassemble the next tcp segment.

Presumably if this is repeated until your function detects the end of text delimiter all the segments will be added to the reassembled tvb.

What I'm not sure is the value that should be returned when you detect the end of of text delimiter, is it the number of bytes required in that segment, or the number of bytes accumulated across all segments. I think it's the latter, empirical testing should show what's required.

There is some more info in docs\README.dissector section 2.7.1.

There is also an alternative method in the same file in sect. 2.7.2 which can be used

when the dissector cannot determine how many bytes it will need to read in order to determine the size of a PDU.

Please report back if you have success so that others that also have the same query can see a solution.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-10-08 14:01:19 +0000

Seen: 1,468 times

Last updated: Oct 08 '19