I'm working on a Wireshark dissector plugin (C-based) to process some network data. The protocol that is being used over TCP is one where we can't know the complete length of a response from a header field, so I need to use the desegment_offset/desegment_length pinfo fields (which I guess tcp_dissect_pdus uses anyway). Anyhow, this works fine until the network stream has some dup acks resulting in a TCP Fast Retransmission in the middle of the stream. At this point we get the retransmitted data in our dissector again, and lose any context of the previous desegmentation. In other words, after the retransmitted packet we get what should be the packet after the packet that came before the retransmit, but we don't get the data back from that previous packet, so the desegmentation is hosed. Not sure if that is clear or not, but I can't think of a better way to explain it off the top. So, does anybody know of any elegant way to handle this situation? asked 07 Mar '11, 00:54  krippy2k |
One Answer:
There has been some improvements in the (very) recent Wireshark development code base. Please have a look if this addresses your concerns. answered 07 Mar '11, 04:28  Jaap ♦ |
Thanks for the response. I have checked out the latest source from SVN and added the dissector and stepped through it with a debugger, but at first glance I can't see any noticeable difference. I will keep digging.