Is it possible to use reassembly on non-split packets?
I need to dissect multiple packets, but they are not necessarily related (ie. non-split packets).
I need to dissect multiple packets, but they are not necessarily related (ie. non-split packets).
Are you saying that you've got 2 fragments of your upper-layer protocol in a single IP packet/Ethernet frame and you want to be able to reassemble them?
I believe that, yes, this will work. I'm pretty sure I've seen this happen with SCTP. It was bizarre (though apparently legal--IIRC) that SCTP could fragment and put the 2 fragments in a single IP packet.
How this would work I'm not really sure; the SCTP dissector might serve as a useful reference.
By "multiple fragments in a single packet" do you mean that, in a single link-layer packet, you have multiple sub-packets that are not, by themselves, complete packets, and must then be reassembled into a complete packet?
Or do you mean that, in a single link-layer packet, you have multiple complete packets?
Multiple complete packets, which I don't know how to dissect in a single dissector.
So are you saying, for example, that, in your other question, frames 39 through 44 each have multiple MASP packets in them, and that all of each of those packets is contained within one frame?
Please start posting anonymously - your entry will be published after you log in or create a new account.
Asked: 2017-12-14 16:06:57 +0000
Seen: 436 times
Last updated: Dec 14 '17
How do I use the fragment_add_seq_check function in UDP packet reassembly?
How do I dissect packets if the dissection depends on information from earlier packets?
How do I dissect multiple packets?
Little Endian for "Proto_Tree_Add_Bits" Function
Capture incoming packets from remote web server
How do I get and display packet data information at a specific byte from the first byte?
How do I add "child item" to an item in the subtree?
Why would I be getting "LEN 1 (Malformed Packet)"... "(Malformed Packet: RTCP)" on UDP Packets
Monitoring UDP data on wireshark shows ARP packet
How do I get relative ack number greater than sequence number?
Can you expand your question, over what protocol are these packets running, are they sequential, fragmented, anything else you can think of to explain the issue.
These packets are running over UDP. I'm still fairly new to wireshark, so I'm still not familiar with some terms, like "sequential" or "fragmented". When I was reading the developer's guide section 9.4, I found that if a packet is too large, it can be split, and the data is spread between multiple packets. To do my dissection, I need to reassemble these split packets. What I want to know, is that is it possible to use the reassembly API to assemble packets that aren't split?
I'm missing something here, if you have the complete packet because it isn't split, why do you need to reassemble?
Note that this is quite an advanced topic for dissectors and there isn't much documentation apart from in the reassembly code itself, and the existing dissectors that use it.
It's for a project, if it isn't possible to apply reassembly to packets that aren't split, then is there another way to dissect multiple packets in a single dissector?
So do you have multiple packets for your protocol inside a single link-layer frame, a single packet for your protocol that is made up from multiple link-layer frames, or both?
No, just as it's not possible to put together something that's not broken into multiple pieces.
"Assembly" and "reassembly", in this context, means "assembling, i.e. putting together, multiple parts of a single thing to construct that single thing". If something isn't split, there's nothing to reassemble.
I see, then how would I go about dissecting multiple packets in one dissector? Surely there must be a way to do this.