I have had a similar issue with my plugin. What I see is the following behavior:
. my dissector is called at the beginning of the PDU . my dissector calls tcp_dissect_pdus(). The length retrieval function yields the correct value for the PDU length, which exceeds the size of the current packet. . tcp_dissect_pdus() notes that the PDU size exceeds the packet size and sets up the reassembly variables in the packet_info struct. . tcp_dissect_pdus() returns, my dissector exits. . Instead of returning to my dissector when the PDU is reassembled, the TCP dissector calls my dissector for each packet within the PDU. Since the packet does not begin on a PDU start, my dissector discards them. The result is similar to what has been stated here. Each packet is denoted as being part of a reassembled PDU, but the reassembled PDU is never actually returned to the dissector, nor is the reassembly info (i.e. the source frames) ever denoted in the PDU's final packet. When I traced back into the TCP dissector, I noticed that there was never a non-null tcp_analysis struct associated with the conversation. It was always null. Since this is where flow state is stored, the dissector could never reassemble my fragmented PDUs. I didn't get any further than that, as I got sidetracked onto other projects. On Fri, Feb 29, 2008 at 12:51 AM, Merlin Hooze <[EMAIL PROTECTED]> wrote: > Hello Thanks for your response, > The maximum lengths returned by get_myplugin_pdu_len() are 1028 and 17161 > . > Is that might be a problem ? > > But I cant understand why the message length is showing that big a value > as the messages are quite small enough! > > Thanks > > --- On Thu, 2/28/08, Jaap Keuter <[EMAIL PROTECTED]> wrote: > > > From: Jaap Keuter <[EMAIL PROTECTED]> > > Subject: Re: [Wireshark-dev] : Plugin dissector not called when > wireshark reassembles the message > > To: [EMAIL PROTECTED], "Developer support list for Wireshark" < > wireshark-dev@wireshark.org> > > Date: Thursday, February 28, 2008, 5:44 PM > > Hi, > > > > What does get_myplugin_pdu_len() return? I think this value > > is too high, hence the TCP dissector never sees the end of > > the payload. > > > > Thanx, > > Jaap > > > > Merlin Hooze wrote: > > > Hi, > > > > > > I have created a plugin for wireshark, which works > > fine normally but its not able to dissect when the message > > is split and reassembled by wireshark. In my dissector I am > > using the following function as below.. > > > > > > tcp_dissect_pdus(message_tvb, pinfo, tree, TRUE, 5, > > > get_myplugin_pdu_len, dissect_myplugin); > > > > > > But when i capture the trace, I can see the protocol > > as [TCP segment of a reassembled PDU] only. Looks like the > > dissector function for my plugin is not called. > > > I guess [TCP segment of a reassembled PDU] is > > displayed when wireshark is reassembling the packets. So > > when its reassembling then why its not calling my dissector > > after it has reassembled ? > > > > > > Any hints ? > > > > > > Thanks.. > > > > > > > > ____________________________________________________________________________________ > Be a better friend, newshound, and > know-it-all with Yahoo! Mobile. Try it now. > http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > > _______________________________________________ > Wireshark-dev mailing list > Wireshark-dev@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-dev >
_______________________________________________ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
