Hello,
I have had a look at your pcap example.
The beginning of the first packet is :
07 00 01 00 00 06 F9 01 00 F9 07 A8 E8 01 7E 21
Then for this packet, according to your code :
msg_seqid = 0x700
msg_num = 0x100
msg_start = 0
msg_end = 0x06
msg_flag = 0xF9
Something is wrong :
the length (difference between end and start) is not equal nor near the packet
length.
Then I have checked the second packet.
It is the same.
When I compare both packets, I have observed the following structure :
Description | Length | Value
Header | 1 byte | 07
Message ID | 2 bytes| 0001
Fragment Num| 2 bytes| 0000
Data start | 1 byte | 06
Data length | 1 byte | F9
Packet flag | 1 byte | 01 = fragment
Unused | 1 byte | 00
Data limiter| 1 byte | F9
Data | x bytes| 07 A8 E8 01 ... B9 (F9 bytes)
Data limiter| 1 byte | F9
If I apply this structure to the second packet, I obtain :
Description | Length | Value
Header | 1 byte | 07
Message ID | 2 bytes| 0001
Fragment Num| 2 bytes| 0001
Data start | 1 byte | 06
Data length | 1 byte | CA
Packet flag | 1 byte | 00 = last fragment
Unused | 1 byte | 00
Data limiter| 1 byte | F9
Data | x bytes| 07 AA 8A 01 ... 7C (CA bytes)
Data limiter| 1 byte | F9
If this is correct, it implies :
- there is only one header per packet,
- the length of the header for one packet is 9 bytes.
This could explain that you do not point to the correct information,
and in particular to packet flag information.
Then fragment_add_seq_check() function has never the information
that it is the last packet.
And then process_reassembled_data() never manages to reassemble
the whole message.
I hope this will help you.
Regards
Philippe
Date: Mon, 9 Mar 2009 07:01:01 -0700
From: [email protected]
To: [email protected]
Subject: Re: [Wireshark-dev] Reassembling splitted PPP packets
Hi,
ok, here is my code, a pcap example with 4 packets inside (2 are a splitted PPP
packet, and 2 are ACKs) and a little picture of the first splittet packet. I
hope it is understanable :)
I´m not sure where I have to call the ppp dissector, I tried it in
if (new_tvb) { /* take it all */
//this became never true!
next_tvb = new_tvb;
call_dissector( ppp_handle, next_tvb, pinfo, tree );
But this clause became never true...
/*We have at least one PPP packet*/
if
(sizeMuxPPPHeader > 0){
guint16 tmpOffset = 1;
guint16 tmpOffsetBegin = 1;
guint16 tmpOffsetEnd = 1;
tvbuff_t* new_tvb = NULL;
fragment_data *frag_msg = NULL;
guint16 msg_seqid;//ID of the message
guint16 msg_num;//Sequence number
guint8 msg_start;//Start position of PPP packet
guint8 msg_end;//End of PPP packet
guint8 msg_flag;//Flag of packet
//There could be more than one PPP packet in the multiplexer packet
for (i = 0; i <
sizeMuxPPPHeader/7; i++){
tmpOffset = 7;
tmpOffset = i * tmpOffset+1;
//Get the necessary data
msg_seqid = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
msg_num = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
msg_start = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
msg_end = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
msg_flag = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
//Calculate the offset
tmpOffsetBegin = sizeMuxPPPHeader + 1 + msg_start; //+ Header_Size, +
Direction
tmpOffsetEnd = sizeMuxPPPHeader + 1 + msg_end;
pinfo->fragmented = TRUE;
frag_msg = fragment_add_seq_check(tvb, tmpOffsetBegin, pinfo,
msg_seqid, /* ID for fragments belonging together */
msg_fragment_table, /* list of message fragments */
msg_reassembled_table, /* list of reassembled messages */
msg_num, /* fragment sequence number */
tmpOffsetEnd, /* fragment length - to the end */
msg_flag); /* More fragments? */
new_tvb = process_reassembled_data(tvb, tmpOffsetBegin, pinfo,
"Reassembled Message", frag_msg, &msg_frag_items,
NULL, mux27010_tree);
if (frag_msg) { /* Reassembled */
// call_dissector( ppp_handle, new_tvb, pinfo, tree ); -> Trying to
call PPP dissector => Error (new_tvb=null)
if (check_col(pinfo->cinfo, COL_INFO)) col_append_str(pinfo->cinfo,
COL_INFO," (Reassembled)");
} else { /* Not last packet of reassembled Short Message
*/
if (check_col(pinfo->cinfo, COL_INFO))
col_append_fstr(pinfo->cinfo, COL_INFO," (Message fragment %u)", msg_num);
}
if (new_tvb) { /* take it all */
//this became never true!
next_tvb = new_tvb;
call_dissector( ppp_handle, next_tvb, pinfo, tree );
} else { /* make a new subset */
// next_tvb = tvb_new_subset(tvb, tmpOffsetBegin + 1,
length_info-1, length_info-1);
// call_dissector( ppp_handle, next_tvb, pinfo, tree );
}
}
}
Thanks,
Chris
Von: philippe alarcon <[email protected]>
An: wireshark-dev <[email protected]>
Gesendet: Freitag, den 6. März 2009, 16:16:56 Uhr
Betreff: Re: [Wireshark-dev] Reassembling splitted PPP packets
Hello,
As far as I have seen in WireShark sources, it is able to dissect PPP packets,
and a PPP dissector is embedded.
Nevertheless the example of packet will help to understand
how it is managed by WireShark.
Regards
Philippe
Date: Fri, 6 Mar 2009 05:51:49 -0800
From: [email protected]
To: [email protected]
Subject: Re: [Wireshark-dev] Reassembling splitted PPP packets
Hello,
you are right, every PPP header has a length of 7 byte and I have one byte
which indicates the total length of my PPP header.
Header_Size (size of all PPP header, a multiple of 7)
Msg_ID (2byte)
Freq_ID (2byte)
Start_Pos (1byte)
End_Pos (1byte)
Flag (1byte)
... (more PPP header)
MUX_Packet (begin of multiplexer packet)
and you are right - once again :). There is a mistake in tmpOffset - it should
be reset to 7
tmpOffset = i * tmpOffset+1;
for i = 1, tmpOffset = 7+1 = 8
-> tmpOffset = 8;
for i = 2, tmpOffset = 2 x 7 + 1 = 15
-> tmpOffset = 7;
for i = 3, tmpOffset = 3 x 7 + 1 = 22
-> tmpOffset = 7;
Concerning PPP dissection: Do I have to call a special dissector or will
wireshark do it?
I´ll send you an example of a packet on monday - today I´m not in the office...
Thanks
Chris
Von: philippe alarcon <[email protected]>
An: wireshark-dev <[email protected]>
Gesendet: Donnerstag, den 5. März 2009, 14:51:51 Uhr
Betreff: Re: [Wireshark-dev] Reassembling splitted PPP packets
Hello Chris,
Could you send us an example of stored packets within a pcap file ?
Then regarding your code, I think there could be a problem how
your header offset is managed (tmpOffset variable).
I have understood that the packet begins with several headers,
each header has a length of 7 octets.
tmpOffset is updated after each extracted field,
and for one header, tmpOffset = tmpOffset + 7.
Correct ?
Then when beginning the following loop, tmpOffset is updated as the following :
tmpOffset = i * tmpOffset+1;
for i = 0, tmpOffset = 0
for i = 1, tmpOffset = 7+1 = 8
for i = 2, tmpOffset = 2 x (8 + 7 + 1) = 32
for i = 3, tmpOffset = 2 x (32 + 7 + 1) = 80
Regards
Philippe
> Date: Thu, 5 Mar 2009 05:02:45 -0800
> From: [email protected]
> To: [email protected]
> Subject: [Wireshark-dev] Reassembling splitted PPP packets
>
>
> Hej,
>
> I´ve written a dissector for a multiplexer-protocol. The payload of these
> multiplexer packets could be PPP packets, most of these packets will be
> splitted to several mux packets.
> I´ve tried to reassemble these PPP packets (reading that article 9.4.1. How
> to reassemble split UDP packets), but it doesn´t work....
> To get the necessary data I´ve added a new header to my multiplexer packet so
> I have the information about the fragments.
>
> What am I doing
wrong?
>
> //Check if there is a PPP packet inside
> if (sizeMuxPPPHeader > 0){
> guint16 tmpOffset = 1;
> guint16 tmpOffsetBegin = 1;
> guint16 tmpOffsetEnd = 1;
>
> //There could be more than one PPP packet in the multiplexer packet
> for (i = 0; i < sizeMuxPPPHeader/7; i++){
>
> tvbuff_t* new_tvb = NULL;
> fragment_data *frag_msg = NULL;
> guint16 msg_seqid; //ID of the message
> guint16 msg_num; //Sequence number
>
> guint8 msg_start; //Start position of PPP packet
> guint8 msg_end; //End of PPP packet
> guint8 msg_flag; //Flag of packet
>
> tmpOffset = i * tmpOffset+1;
>
> //Get the necessary data
> msg_seqid = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
> msg_num = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
> msg_start = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
>
msg_end = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
> msg_flag = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
>
> //Calculate the offset
> tmpOffsetBegin = sizeMuxPPPHeader + 1 + msg_start;
> tmpOffsetEnd = sizeMuxPPPHeader + 1 + msg_end;
>
> pinfo->fragmented = TRUE;
> frag_msg = fragment_add_seq_check(tvb, tmpOffsetBegin, pinfo,
> msg_seqid, /* ID for fragments belonging together */
> msg_fragment_table, /* list of message fragments */
> msg_reassembled_table, /* list of reassembled messages */
> msg_num, /* fragment sequence number */
> tmpOffsetEnd, /* fragment length - to the end */
> msg_flag); /* More fragments? */
>
>
> new_tvb = process_reassembled_data(tvb, tmpOffsetBegin, pinfo,
> "Reassembled Message", frag_msg, &msg_frag_items,
> NULL, mux27010_tree);
>
> if (frag_msg) { /* Reassembled
*/
> if (check_col(pinfo->cinfo, COL_INFO))
> col_append_str(pinfo->cinfo, COL_INFO,
> " (Message Reassembled)");
> } else { /* Not last packet of reassembled Short Message */
> if (check_col(pinfo->cinfo, COL_INFO))
> col_append_fstr(pinfo->cinfo, COL_INFO,
> " (Message fragment %u)", msg_num);
> }
> if (new_tvb) { /* take it all */
> next_tvb = new_tvb;
> } else { /* make a new subset */
> next_tvb = tvb_new_subset(tvb, tmpOffsetBegin, -1, -1);
> }
>
> Regards, Chris
>
>
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <[email protected]>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>
mailto:[email protected]?subject=unsubscribe
Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre mobile !
Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre mobile !
_________________________________________________________________
Inédit ! Des Emoticônes Déjantées! Installez les dans votre Messenger !
http://www.ilovemessenger.fr/Emoticones/EmoticonesDejantees.aspx___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
