I've searched for hours, but I can't seem to find an example which pertains to my specific scenario involving reassembly. Any help is greatly appreciated. I am writing a custom dissector for a protocol (let's call it protocol A) which sits on top of Ethernet. Protocol A is rather simple. It is responsible for transporting data it knows almost nothing about. The header for protocol A includes a sequence number, has a constant header and payload length, does not perform any type of re-transmission. Here is an example Protocol A packet: --Sequence Number (first 2 bytes) --Payload (remaining 100 bytes) (total of 102 bytes) Packets of Protocol B are contained in the payload portion of a Protocol A packet. All packets of Protocol B are either 100, 200, or 300 bytes in length. All packets of protocol B contain a well known 4 byte starting flag. Here is an example of a Protocol B packet. --Starting flag (4 bytes) 0x11223311 (for 96 byte data section), 0x11223322 (for 196 byte data section), or 0x11223333 (for 296 byte data section) --Data (96, 196, or 296 bytes) Packets of Protocol B can start ANYWHERE within the payload of a Protocol A packet (any bit within the Protocol A packet) I would like to reassemble a Protocol B packet and hand it off to a Protocol B dissector. I've seen two main ways of performing reassembly: 1) using fragment_add_check() when a PDU ID and an offset (offset within reassembled PDU of first byte of payload) are known, and the last fragment is specifically marked. 2) using fragment_add_seq_check() when a PDU ID and sequence number are known, and the last fragment is specifically marked. In both of these cases, process_reassembled PDU is used to get a complete PDU. The problem I'm running into is that although I have a pattern to look for to know when one PDU ends and another begins (the Protocol B starting flag 0x11223311, 0x11223322, or 0x11223333), it is possible that the starting flag is split between two protocol A packets. Is there a way to grab previous packet data or to get access to a partially reassembled packet so I can search for the pattern I'm looking for (to mark the end of the previous Protocol B PDU and the beginning of the next Protocol B pdu? Any help is greatly appreciated. Thanks! asked 11 Dec '14, 20:22  mybook4 edited 11 Dec '14, 20:27 |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Look at the H.223 dissector, I think it deals with similar issues. The tcp dissector keeps a tablev of segments I think.
Oh and the per dissector does bit alignment in a new tvb.