|
EtherealRe: [Ethereal-dev] help with broken-up messages running atop TCP? |
|
||
|
|
EtherealRe: [Ethereal-dev] help with broken-up messages running atop TCP? |
|
||
On Thu, May 01, 2003 at 12:00:15PM -0400, nak26 wrote: > I wrote a dissector for messages running atop TCP. > Some messages are quite large so they get broken up and sent in subsequent > packets. So when my dissector encounters these subsequent packets (meaning the > remaining handoff-ed from the tcp dissector data) it is clueless about the > data. > > Is there something that I could do to handle these situations > properly? Possibly, depending on how the size of your messages are specified. Many binary protocols running atop TCP have a header, early in the message, that specifies the size of the message (it might include the size of everything including the header, it might include the size of everything after the header, it might give a message type from which the header size can be inferred, etc.). For those protocols, you can usually use the "tcp_dissect_pdus()" routine, which takes, as arguments: the tvbuff for the TCP segment being dissected; the pinfo value for the packet; the protocol tree pointer for the packet; a Boolean value that's TRUE if packets split between TCP segments should be reassembled and FALSE if they shouldn't be reassembled (this is typically a user-configurable preference variable); the number of bytes of header needed in order to get the data that tells you how big the message is; a pointer to a routine that's handed a tvbuff pointer and an offset in that tvbuff, where the offset is the offset of the beginning of a header, and returns the total size of the packet based on the data in the header (total size *including* the header!); a pointer to a routine to dissect a single message for your protocol, which gets handed the usual arguments for a dissector function - the tvbuff starts at the beginning of the message. See, for example, "packet-dns.c".
Powered by MHonArc 2.6.10