Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: calculating PDU size of TCP message

From: Guy Harris <guy () alum mit edu>
Date: Mon, 21 Jul 2014 13:52:40 -0700

On Jul 21, 2014, at 1:46 PM, "John Dill" <John.Dill () greenfieldeng com> wrote:


I have a TCP message (that I reverse engineered) that contains blocks of the following type:

 -------------
|  Data Type  | 4 bytes
 -------------
| Payload Len | 4 bytes
 -------------
|  Checksum   | 4 bytes
 -------------
|    Data     | = Payload Len
 -------------
   (repeats)

Since I did not know about the underlying structure, I used tcp_dissect_pdus with a TCP header length of 12 bytes to 
be able to read a single block.

tcp_dissect_pdus(tvb, pinfo, tree, desegment_tcp_messages,
                 TCP_PAYLOAD_HDR_LENGTH,
                 get_tcp_pdu_len,
                 dissect_tcp_pdu);

I have discovered that in general, this application layer message can have multiple blocks


What do you mean by "this application layer message"?

If a "block" is

 -------------
|  Data Type  | 4 bytes
 -------------
| Payload Len | 4 bytes
 -------------
|  Checksum   | 4 bytes
 -------------
|    Data     | = Payload Len
 -------------

then presumably there's some *other* header that indicates which blocks are part of a given application layer message, 
or a convention that an application layer message consists of a sequence of blocks all of the same data type (so that a 
change in the data type is an indication that one application layer message ended and another began), or something such 
as that.

Without knowing that, it will be impossible to do

Frame
Ethernet II
Internet Protocol Version 4
Transmission Control Protocol
Application Protocol
  Block 1
  Block 2
  Block ...
  Block N

because Wireshark won't be able to determine where one application layer message begins and another ends.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: