1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
Wireshark dissector notes
Based on doc/README.dissector and headers.
Definitions:
- PDU: Protocol Data Unit: things like TCP packets may span multiple segments
which form one PDU. A single packet may also contain multiple PDUs, think of
a TCP packet containing multiple SSL records. The process of putting multiple
segments into one PDU is called reassembly (or defragmentation).
- tvbuff_t tvb(uff): Testy Virtual(-ize) Buffer of guint8*'s (epan/tvbuff.h).
Testy means exceptions in case of out of bounds access, virtual means that a
tvb can also be a view that is (a subset) of backing buffers. This likely
varies for every PDU.
- packet_info pinfo: Packet Info: state information for a PDU
2.7.2 Reassembly when PDU size is not known before
Always return the number of bytes that are successfully processed. For new
dissectors registered with new_create_dissector_handle, be sure *NOT* to return
0 if the protocol is correct! Return values for the new-style dissectors (see
new_dissector_t in epan/packet.h):
- negative: number of bytes needed for a complete PDU.
- positive: tvbuff contains a PDU with this size.
- zero: the tvbuff does not contain data for our protocol.
The dissect_... function gets called in call_dissector_through_handle
(epan/packet.c). Old style dissectors cannot return a value and will always be
considered successful, see above for new-style dissectors.
The non-zero value of a new-style dissector does not seem to matter, see callers
of call_dissector_work. This may be a bug though.
PROPOSAL:
- zero: protocol rejects data, certainly not our protocol.
- negative: reassembly requested, need at least this amount of data
- positive (equal to tvb_captured_length(tvb)): data is fully accepted
- positive (larger than captured length): should not be possible, dissector
assert and assume tvb_captured_length(tvb)
- positive (smaller than captured length): remainder is for reassembly.
If reassembly is disabled or not supported (anymore) by parent, negative and
positive should have no effect on further packets. can_desegment == 0 if
desegmentation is not offered (anymore) by a dissector.
packet_info fields:
- desegment_offset: offset in tvb which should be kept for the next dissector
call.
- desegment_len: estimated bytes that are *additionally* required for the PDU.
Next time, dissector gets called with data in the current tvb starting at
desegment_offset, with desegment_len extra bytes. If equal to
DESEGMENT_ONE_MORE_SEGMENT, then call dissector on next available segment.
When a positive value is set, then this cannot be changed anymore!
tvbuff
- [captured_]length: size of the available, captured data (tvb_length is
deprecated, use get_captured_length instead).
- reported_length: length of the actual data according to a protocol (such as
the "Total length" field in an IPv4 header). This may be smaller than the
captured length. (XXX: can this be larger than the captured length? I think
so, when the capture got cut because it exceeds the snaplen). See also:
https://ask.wireshark.org/questions/6563/length-vs-reported_length-meaning
|
