Revision history [back]

I have a pcap file where each frame describes a read() or write() system call to a serial device. I'm trying to write a dissector for the serial protocol. Because a read() call might happen before there is a fully-formed message in the buffer, or perhaps there might be more than one, I need to implement re-assembly of fragmented messages.

My data is not encapsulated in TCP, so I have not used dissect_tcp_pdus().

My broken approach is to start with a global reassembly_buffer = ByteArray.new(), and then each time my proto.dissector() implementation is called, append the incoming data to the buffer, and then try to consume any full messages in the buffer.

For debugging, I output the buffer contents before appending the current frame. Surprisingly, when I look at the first frame in the file, expecting the buffer to be empty, it is not. I think this may be because my dissector is called multiple times per frame, so when the frame is revisited, the buffer already has contents.

tree:add(proto, tvb(), "Buffer before append: " .. reassembly_buffer:tohex())
reassembly_buffer:append(tvb:bytes())

Put another way: I'm not sure how to track state properly so that the start state of one dissection pass is not affected by the end state of the previous pass. (I'm sure this also dovetails with the Conversation API but I couldn't readily find an example of how to properly use it.)

There is documentation on reassembling split UDP packets but it's for the C API, I'll attempt to port it to Lua.

I have a pcap file Consider a UDP-based protocol where each frame describes a read() or write() system call to a serial device. I'm trying to length-prefixed Pascal strings (<length: i8><contents>) are sent across the network. However, the strings might get fragmented across multiple packets, and require reassembly. E.g.,:

0A68656C6C6F  // length: 10, partial content: "hello", remaining bytes: 5
776F726C64    // partial content: "world" => full message: "helloworld"

How could you write a dissector for the serial protocol. Because a read() call might happen before there is a fully-formed message in the buffer, or perhaps there might be more than one, I need to implement re-assembly of fragmented messages.

My data is not encapsulated in TCP, so I have not used dissect_tcp_pdus().

My broken approach is to start with a global reassembly_buffer = ByteArray.new(), and then each time my proto.dissector() implementation is called, append the incoming data to the buffer, and then try to consume any full messages in the buffer.

For debugging, I output the buffer contents before appending the current frame. Surprisingly, when I look at Lua that can extract reassembled strings? (Assume the first frame in the file, expecting the buffer to be empty, it is not. our capture is the start of a new string.)

---

Since we are not using TCP, I think this may be because my dissector is called multiple times per frame, so when the frame is revisited, the buffer already has contents.

tree:add(proto, tvb(), "Buffer before append: " .. reassembly_buffer:tohex())
reassembly_buffer:append(tvb:bytes())

Put another way: I'm am assuming we cannot use dissect_tcp_pdus() or pinfo.desegment_len, etc. (The documentation is not sure how to track state properly so that the start state of one dissection pass is not affected by the end state of the previous pass. (I'm sure this also dovetails with the Conversation API but I couldn't readily find an example of how to properly use it.)clear.)

There is documentation on reassembling split UDP packets but it's for the C API, I'll attempt to port it API. I don't know if any of reassemble.h is available to Lua.

In my testing, it did not work to accumulate incomplete content in a global buffer because the reassembly state is affected by multiple dissection passes.

Consider a UDP-based protocol where length-prefixed Pascal strings (<length: i8><contents>i8><content: i8[]>) are sent across the network. However, the strings might get fragmented across multiple packets, and require reassembly. E.g.,:

0A68656C6C6F  // length: 10, partial content: "hello", remaining bytes: 5
776F726C64    // partial content: "world" => full message: "helloworld"

How could you write a dissector in Lua that can extract reassembled strings? (Assume the first frame in our capture is the start of a new string.)

---

Since we are not using TCP, I am assuming we cannot use dissect_tcp_pdus() or pinfo.desegment_len, etc. (The documentation is not clear.)

There is documentation on reassembling split UDP packets but for the C API. I don't know if any of reassemble.h is available to Lua.

In my testing, it did not work to accumulate incomplete content in a global buffer because the reassembly state is affected by multiple dissection passes.

Consider a UDP-based protocol where of length-prefixed Pascal strings (<length: i8><content: i8[]>) are sent across the network. However, the ). The strings might get fragmented across multiple packets, and require reassembly. E.g.,:

0A68656C6C6F  // length: 10, partial content: "hello", remaining bytes: 5
776F726C64    // partial content: "world" => full message: "helloworld"

How could you write a dissector in Lua that can extract reassembled strings? (Assume the first frame in our capture is the start of a new string.)

---

Since we are not using TCP, I am assuming we cannot use dissect_tcp_pdus() or pinfo.desegment_len, etc. (The documentation is not clear.)

There is documentation on reassembling split UDP packets but for the C API. I don't know if any of reassemble.h is available to Lua.

In my testing, it did not work to accumulate incomplete content in a global buffer because the reassembly state is affected by multiple dissection passes.

Consider a UDP-based protocol of length-prefixed Pascal strings (<length: i8><content: i8[]>). The strings might get fragmented across multiple packets, and require reassembly. E.g.,:

0A68656C6C6F  // length: 10, partial content: "hello", remaining bytes: 5
776F726C64    // partial content: "world" => full message: "helloworld"

How could you write a dissector in Lua that can extract reassembled strings? (Assume the first frame in our capture is the start of a new string.)

---

Since we are not using TCP, I am assuming we cannot use dissect_tcp_pdus() or pinfo.desegment_len, etc. (The documentation is not clear.)

There is documentation on reassembling split UDP packets but for the C API. I don't know if any of reassemble.h is available to Lua.

In my testing, it did not work to accumulate incomplete content in a global buffer because the reassembly state is affected by multiple dissection passes.

Previous discussion from 2016, though the solution comes with some caveats.

Consider a UDP-based protocol of length-prefixed Pascal strings (<length: i8><content: i8[]>). The strings might get fragmented across multiple packets, and require reassembly. E.g.,:

0A68656C6C6F  // length: 10, partial content: "hello", remaining bytes: 5
776F726C64    // partial content: "world" => full message: "helloworld"

How could you write a dissector in Lua that can extract reassembled strings? (Assume the first frame in our capture is the start of a new string.)

---

Since we are not using TCP, Unlike dissect_tcp_pdus(), I am assuming we cannot use dissect_tcp_pdus() or don't think dissect_udp_pdus() is exposed to Lua. The documentation on pinfo.desegment_len, etc. (The documentation is not clear.) is very sparse, but I don't think it applies here.

There is documentation on reassembling split UDP packets but for the C API. I don't know if any of reassemble.h is available to Lua.

In my testing, it did not work to accumulate incomplete content in a global buffer because the reassembly state is affected by multiple dissection passes.

Previous discussion from 2016, though the solution comes with some caveats.