I have a plugin I've written that uses tcp_dissect_pdu(). I'm continuing to have troubles getting a PDU that spans a TCP packet working correctly.
A packet in my protocol is a sigil (0xaa), 2 octets that don't matter, then an octet that specifies the total length of the packet, less the sigil. So an 8 octet packet would be 0xaa, 0x00, 0x00, 0x07, 0xde, 0xad, 0xbe, 0xef. Packet lengths can range from 8 octets to 127 octets. The problem arises when the first four octets span two TCP packets, and occurs as the first octet of the in the packet it's spanning into (there may be other conditions that I haven't run into yet). Wireshark indicates that it's a reassembled PDU, displays the following under the [Reassembled TCP Segments (4 bytes): #11(3), #12(1)] expansion. [Frame: 11, payload: 0-2 (3 bytes)] [Frame: 12, payload: 3-3 (1 byte)] In the frame that causes an error, the end of frame 11 has 0xaa, 0x00, 0x05, and frame 12 has 0x1e. The total packet length is 31 octets (including the sigil), but the dissector is only showing 4 octets total. I'm pretty sure I've implemented my code correctly, based on the examples I've found, and perusing the source code. I'm hoping someone else would be willing to take a look at it, and see if I've done something stupid (not unlikely), or if it's an actual PDU reassembly issue (less likely). Specifically the error occurs at the end of frame 11, the virtual frame 12, and frame 13. I've posted a complete zip file at http://jcwren.com/wireshark/ws.tar.gz. This includes the Wireshark sources, and a pcap file called 'small.pcap'. The file in question would be plugins/r3/packet-r3.c, with the relevant code at the end of the file (please avoid snickering and outright mockery :) ) Any help would be greatly appreciated. Thanks, --jc _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
