Probably the same as this bug: http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2103
Preliminary patch exist. -- Gerhard On Dec 14, 2007 10:42 PM, J.C. Wren <[EMAIL PROTECTED]> wrote: > I have a plugin I've written that uses tcp_dissect_pdu(). I'm > continuing to have troubles getting a PDU that spans a TCP packet > working correctly. > > A packet in my protocol is a sigil (0xaa), 2 octets that don't matter, > then an octet that specifies the total length of the packet, less the > sigil. So an 8 octet packet would be 0xaa, 0x00, 0x00, 0x07, 0xde, > 0xad, 0xbe, 0xef. Packet lengths can range from 8 octets to 127 > octets. > > The problem arises when the first four octets span two TCP packets, > and occurs as the first octet of the in the packet it's spanning into > (there may be other conditions that I haven't run into yet). > Wireshark indicates that it's a reassembled PDU, displays the > following under the [Reassembled TCP Segments (4 bytes): #11(3), > #12(1)] expansion. > [Frame: 11, payload: 0-2 (3 bytes)] > [Frame: 12, payload: 3-3 (1 byte)] > > In the frame that causes an error, the end of frame 11 has 0xaa, 0x00, > 0x05, and frame 12 has 0x1e. The total packet length is 31 octets > (including the sigil), but the dissector is only showing 4 octets > total. > > I'm pretty sure I've implemented my code correctly, based on the > examples I've found, and perusing the source code. I'm hoping someone > else would be willing to take a look at it, and see if I've done > something stupid (not unlikely), or if it's an actual PDU reassembly > issue (less likely). Specifically the error occurs at the end of > frame 11, the virtual frame 12, and frame 13. > > I've posted a complete zip file at > http://jcwren.com/wireshark/ws.tar.gz. This includes the Wireshark > sources, and a pcap file called 'small.pcap'. The file in question > would be plugins/r3/packet-r3.c, with the relevant code at the end of > the file (please avoid snickering and outright mockery :) ) > > Any help would be greatly appreciated. > > Thanks, > --jc > _______________________________________________ > Wireshark-dev mailing list > [email protected] > http://www.wireshark.org/mailman/listinfo/wireshark-dev > -- Gerhard The sender address really contains .nospam. _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
