Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Why doesn't wireshark dissect packets that have both retransmitted and new data?

I have a Lua dissector for my custom protocol. The dissector works fine and reassembles PDUs well in all but one use case:

When TCP ZeroWindowProbe happens because of the full window, one byte of data is sent. My dissector rightly detects that this is not enough for the header and asks for more data (by setting pinfo.desegment_len = DESEGMENT_ONE_MORE_SEGMENT). The problem is that when ACK is finally received, the new packet sent includes the one byte used for probe (as well as additional 1459 bytes of new data) and the whole packet gets treated as a retransmission.

Because retransmission is treated as error, the dissector is never called. This breaks any further dissecting, because I have no way of finding the beginning of a packet in my protocol and the sent packet doesn't contain the whole number of messages (if cuts the last message in the middle of the header).

I tried turning off the "Do not call subdissectors for error packets" and in that case the dissector gets called, but when I try to signal that I need more data (when I get to the last, partial message in the packet), this is ignored and the next packet is not dissected as it should.

Am I doing aniything wrong? How is this situation meant to be handled in the dissector?

I'm using wireshark 2.6.4.