Hi, Thanks a lot for your reply, Jaap.
I have gone through document and have some queries based on that. 1. Protocol under dissection is not based on TCP hence approach 2 seems more logical as per document. In this case actual PDU is always scattered across 2 different continuous packets received from Libpcap and offset of start of PDU in a packet remains same throughout capturing. Document states that " If the dissector discovers that the end of the tvbuff does /not/ coincide with the end of a PDU, (ie, there is half of a PDU at the end of the tvbuff), it can indicate this to the parent dissector, by updating the pinfo struct. The desegment_offset field is the offset in the tvbuff at which the dissector will continue processing when next called. The desegment_len field should contain the estimated number of additional bytes required for completing the PDU. Next time your dissect_PROTO is called, it will be passed a tvbuff composed of the end of the data from the previous tvbuff together with desegment_len more bytes. " One packet reported is of length 160 bytes and now suppose offset of PDU is 100. Dissector is able to decode 40 bytes so it returns desegment_offset as 140 and desegment_len is 100 as PDU is of length 160 as well. As per document next tvBuff will consists of 20 + 100 == 120 bytes. My query is that as LibPcap is reading 160 bytes every time from interface, what will happen to last 60 bytes of Packet of next PDU? 2. Packets from Multiple interfaces can be received at dissector and only packets from same interfaces are to be related. How can it be made sure in Wireshark? There is no identifier attached to packets identifying different messages. Is it possible to get IP of interface at dissector level when there is no IP in packet? Regards, Gaurav -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jaap Keuter Sent: Thursday, October 23, 2008 11:12 AM To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Issue related to reassembly of packets Hi, See doc/README.developer section 2.7 Thanx, Jaap Gaurav1 Jain wrote: > Hi All, > > Please help me out in my query related to reassembly of packets. > > Regards, > Gaurav > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gaurav1 Jain > Sent: Tuesday, October 21, 2008 12:05 PM > To: Developer support list for Wireshark > Subject: [Wireshark-dev] Issue related to reassembly of packets > > Hi, > > I am working on a plugin in which a complete meaningful frame (160 byte) > spans over 2 packets (of 160 bytes each with offset of start of frame may > vary from 1 to 160). Start of frame has some fixed pattern. How is it > possible to have packets reassembled for dissection (keeping in mind the fact > that frames from multiple interfaces can be received at Wireshark? > > Regards, > Gaurav > _______________________________________________ Wireshark-dev mailing list [email protected] https://wireshark.org/mailman/listinfo/wireshark-dev The information contained in this e-mail is private & confidential and may also be legally privileged. If you are not the intended recipient, please notify us, preferably by e-mail, and do not read, copy or disclose the contents of this message to anyone. _______________________________________________ Wireshark-dev mailing list [email protected] https://wireshark.org/mailman/listinfo/wireshark-dev
