Ask Your Question
0

How do I dissect packets if the dissection depends on information from earlier packets?

asked 2017-12-15 14:46:30 +0000

mest112 gravatar image

updated 2017-12-16 19:19:01 +0000

Guy Harris gravatar image

For example, as shown in the image below, if I have two UDP packets in different frames, frames 39 and 40, how would I go about dissecting them together? I need data from both packets. I assume I can't use reassembly, since reassembly is for split packets.

HERE

Would I need to use more then one dissector?

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2017-12-16 09:00:23 +0000

Jaap gravatar image

Then this is the stuff for 'conversations'. You setup conversations on the first pass through the dissection and add protocol related information to it (in this case in packet 39) which you can then use later (in this case in packet 40). There's information on this in the README files in the source tree.

edit flag offensive delete link more

Comments

Note that if the dissection of packet 39 depends on the dissection of packet 40, this is more difficult - and can't work if you're doing a one-pass dissection in TShark.

Guy Harris gravatar imageGuy Harris ( 2017-12-16 19:20:11 +0000 )edit

Thank you.

mest112 gravatar imagemest112 ( 2017-12-18 14:10:31 +0000 )edit
add a comment
0

answered 2017-12-15 18:18:13 +0000

Guy Harris gravatar image

Frames 39 and 40 say "Message fragment", which presumably means that they are fragments of a single larger message.

If so, that means that the single larger message has been split into multiple fragments, so you would need to reassemble those fragments to construct the larger message.

edit flag offensive delete link more

Comments

Oh no that's not it, I just set the text in the column to say "Message fragment" (for no reason really), these aren't actually fragments. Sorry for the confusion.

mest112 gravatar imagemest112 ( 2017-12-15 18:22:25 +0000 )edit

OK, then if you want help you will need to explain, in detail, how your protocol is structured. Picking "Message fragment" as column text, for "no reason really", does not help us understand how your protocol works!

Guy Harris gravatar imageGuy Harris ( 2017-12-15 18:55:46 +0000 )edit

Apologies! I changed the image if that helps. At the moment, my protocol just simply takes in all packets from UDP port 10160, and changes the text in the column. I need information from both packets 39 and 40 in order to do my dissection. However, I don't know how to dissect both packets in a single dissector.

mest112 gravatar imagemest112 ( 2017-12-15 19:14:34 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2017-12-15 14:46:30 +0000

Seen: 1,096 times

Last updated: Dec 16 '17

Related questions

How do I use the fragment_add_seq_check function in UDP packet reassembly?

Is it possible to use reassembly on non-split packets?

How do I dissect multiple packets?

Little Endian for "Proto_Tree_Add_Bits" Function

Capture incoming packets from remote web server

How do I get and display packet data information at a specific byte from the first byte?

How do I add "child item" to an item in the subtree?

Why would I be getting "LEN 1 (Malformed Packet)"... "(Malformed Packet: RTCP)" on UDP Packets

Monitoring UDP data on wireshark shows ARP packet

How do I get relative ack number greater than sequence number?