This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

[closed] tcp_dissect_pdus. get reassemble TCP

0

Hi, I'm using

tcp_dissect_pdus(tvb, pinfo, tree, TRUE, FRAME_HEADER_LEN, get_foo_message_len, dissect_foo_message)

to reassemble split TCP Packets in my own dissector. However, I cannot get the full TCP packet. In the dissect_foo_message, I do nothing first, just get the full TCP context by using:

data_len = tvb_length(tvb);
sprintf(str, "%s\n", tvb_get_string(tvb, 122, data_len));

the context in str is truncated.

I'm confused, according to the tutorial, I should get the full TCP packet in the dissect_foo_message, right? Help!!

asked 11 Oct '12, 23:56

razygon's gravatar image

razygon
1112
accept rate: 0%

closed 15 Oct '12, 07:38

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850

1

We'll need to see a bit more of your code. How are you determining the actual length of the PDU in get_foo_message_len() ?

dissect_foo_message() will be handed a tvb of whatever length is returned by get_foo_message_len()

(12 Oct '12, 06:48) Bill Meier ♦♦
void proto_reg_handoff_dataparse(void)
{
    dataparse_handle = create_dissector_handle(dissect_dataparse, proto_dataparse);
    dissector_add_uint("tcp.port", dataparse_PORT, dataparse_handle); 
    **`//so the tvb only include data, no package headers, right?`**

}
static guint get_dataparse_message_len(packet_info *pinfo, tvbuff_t *tvb, int offset)
{
return 2000;
}
static void dissect_dataparse_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
int ip_len = 0;
int data_len = 0;
char *str;


FILE *stream;

if ((stream = fopen(filename,"a")) ==NULL)
{
    return;
}

data_len = tvb_length(tvb);
str = (char *)malloc(data_len);
sprintf(str, "%s\n", tvb_get_string(tvb, 0, 2000));
fwrite(str, strlen(str), 1, stream);        
if(stream != NULL)
fclose(stream);</code></pre><p>}</p></div><div id="comment-15010-info" class="comment-info"><span class="comment-age">(15 Oct '12, 02:54)</span> <span class="comment-user userinfo">razygon</span></div></div><span id="15011"></span><div id="comment-15011" class="comment"><div id="post-15011-score" class="comment-score"></div><div class="comment-text"><p>Hi Bill, I didn't finish the code, now i'm testing the function tcp_dissect_pdus() to check whether it works. But i try to give specific code in the below comment. besides that I have two questions: 1. I cannot get the len in advance, for the protocol didn't give it... is there any other way to get it? 2. for test, i set the return value of get_foo_message_len fixed, like 2000. but the data i get is not consecutive? confused...</p></div><div id="comment-15011-info" class="comment-info"><span class="comment-age">(15 Oct '12, 02:58)</span> <span class="comment-user userinfo">razygon</span></div></div><span id="15018"></span><div id="comment-15018" class="comment"><div id="post-15018-score" class="comment-score"></div><div class="comment-text"><p>[ This type of discussion is best done on <span class="__cf_email__" data-cfemail="a2d5cbd0c7d1cac3d0c98fc6c7d4e2">[email protected]</span><a href="http://wireshark.org">wireshark.org</a> mailing list.</p><p>So: I'm taking the liberty of "closing" this question in favor of continuing the discussion on wireshark-dev; I'll post a reply shortly on wireshark-dev.</p><p>See <a href="https://www.wireshark.org/lists/">https://www.wireshark.org/lists/</a> to subscribe to the list. ]</p></div><div id="comment-15018-info" class="comment-info"><span class="comment-age">(15 Oct '12, 07:37)</span> <span class="comment-user userinfo">Bill Meier ♦♦</span></div></div></div><div id="comment-tools-14950" class="comment-tools"></div><div class="clear"></div><div id="comment-14950-form-container" class="comment-form-container"></div><div class="clear"></div></div></td></tr></tbody></table>





The question has been closed for the following reason “(Discussion to continue on wireshark-dev mailing list).” by Bill Meier 15 Oct ‘12, 07:38