Ask Your Question
0

How do I dissect multiple packets?

asked 2017-12-05 15:10:41 +0000

mest112 gravatar image

For example, if there is information I can obtain only by using data from 2 packets (i.e packet 12 and 17), how would I dissect them?

edit retag flag offensive close merge delete

Comments

Can you be more specific? Because I'm not sure whether I'll be answering what you actually ask.

If the PDU of the application protocol is split into several packets of a transport protocol, the dissector of the application protocol shall return 0 when invoked with incomplete data, so the dissector of the transport protocol knows it has to provide more data.

This works for TCP and probably SCTP which take care of payload completeness by means of acknowledgements and retransmissions. They collect the payload as it arrives and with each new arrival they offer it to the application layer dissector until it finally accepts it (by returning a non-zero number of processed bytes). So the dissection of the application layer is then shown in the last transport packet carrying a given PDU.

For other transport protocols like UDP where the retransmissions etc. have to be handled by the ...(more)

sindy gravatar imagesindy ( 2017-12-05 16:09:34 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-12-05 16:15:26 +0000

grahamb gravatar image

This is known as reassembly. Look at README.dissector sect. 2.7.

edit flag offensive delete link more

Comments

2.7 seems to be only for TCP, is there instructions for reassembly for UDP?

mest112 gravatar imagemest112 ( 2017-12-05 16:46:09 +0000 )edit

Yep, 2.8, udp_dissect_pdus but that function only handles multiple PDU's in a single packet. If spread across multiple packets then you'll need to use the fragmentation API as detailed in the Developers Guide Sect 9.4.

grahamb gravatar imagegrahamb ( 2017-12-06 11:02:58 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2017-12-05 15:10:41 +0000

Seen: 1,250 times

Last updated: Dec 05 '17

Related questions

How do I use the fragment_add_seq_check function in UDP packet reassembly?

Is it possible to use reassembly on non-split packets?

How do I dissect packets if the dissection depends on information from earlier packets?

Little Endian for "Proto_Tree_Add_Bits" Function

Capture incoming packets from remote web server

How do I get and display packet data information at a specific byte from the first byte?

How do I add "child item" to an item in the subtree?

How do I get relative ack number greater than sequence number?

Wireshark capture with ET2000

How can I make my custom packet dissector distributable?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2