Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: reassembling tcp streams to dissect netstrings

From: Sake Blok <sake () euronet nl>
Date: Mon, 14 Feb 2011 12:48:21 +0100
On 14 feb 2011, at 11:59, Toni Ruottu wrote:


I am writing a plugin to dissect a TCP stream of netstrings. Examples
of netstrings would include 5:hello, and 0:, See
http://cr.yp.to/proto/netstrings.txt for details. Method
tcp_dissect_pdus takes length of the data as a parameter, which is not
a problem for the payload part, but how do I reassemble the stream up
to the first ":", so I can read the length information?


That's also done by tcp_dissect_pdus:

(from epan/dissectors/packet-tcp.h)
/*
 * Loop for dissecting PDUs within a TCP stream; assumes that a PDU
 * consists of a fixed-length chunk of data that contains enough information
 * to determine the length of the PDU, followed by rest of the PDU.
 *
 * The first three arguments are the arguments passed to the dissector
 * that calls this routine.
 *
 * "proto_desegment" is the dissector's flag controlling whether it should
 * desegment PDUs that cross TCP segment boundaries.
 *
 * "fixed_len" is the length of the fixed-length part of the PDU.
 *
 * "get_pdu_len()" is a routine called to get the length of the PDU from
 * the fixed-length part of the PDU; it's passed "pinfo", "tvb" and "offset".
 *
 * "dissect_pdu()" is the routine to dissect a PDU.
 */
extern void
tcp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
                 gboolean proto_desegment, guint fixed_len,
                 guint (*get_pdu_len)(packet_info *, tvbuff_t *, int),
                 dissector_t dissect_pdu);

In short, you need to tell tcp_dissect_pdus the minimum amount of bytes that are always available and will contain 
enough information to determine the length of a PDU.

In your case the length is in itself of variable length, which makes using tcp_dissect_pdus impossible. Unless you can 
make sure all lengths are noted with a fixed length string, like "00005:Hello" and "00000:" for PDU's with a maximum 
size of 99999. If this is not possible, then you will need to use pinfo struct as can be read in paragraph 2.7.2 of 
"doc/README.developer"

Hope this helps,
Cheers,


Sake

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: