Hi Wireshark Dev List,
We have a network with DNP3.0 that is using UDP. We have a gateway device
that communicates to a collections of RTUs (RTU = Remote Terminal Unit, a
device on the DNP3.0 network) over a serial radio-modem network and we
talk to the gateway using UDP / IP.
The DNP3.0 dissector uses the standard calls to find_conversation etc...
and fragment_add_seq_next etc... to do application layer frame re-assembly
as follows:
if (! (tr_fir && tr_fin))
{
/* A fragmented packet */
pinfo->fragmented = TRUE;
/* Look up the conversation to get the fragment reassembly id */
conversation = find_conversation(pinfo->fd->num, &pinfo->src,
&pinfo->dst,
pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
if (conversation == NULL) {
/* No conversation yet, so make one */
conversation = conversation_new(pinfo->fd->num, &pinfo->src,
&pinfo->dst, pinfo->ptype,
pinfo->srcport, pinfo->destport, 0);
}
conv_data_ptr =
(dnp3_conv_t*)conversation_get_proto_data(conversation, proto_dnp3);
if (conv_data_ptr == NULL) {
/* New data structure required */
conv_data_ptr = se_alloc(sizeof(dnp3_conv_t));
/*** Increment static global fragment reassembly id ***/
conv_data_ptr->conv_seq_number = seq_number++;
conversation_add_proto_data(conversation, proto_dnp3, (void
*)conv_data_ptr);
}
conv_seq_number = conv_data_ptr->conv_seq_number;
/*
* Add the frame to
* whatever reassembly is in progress, if any, and see
* if it's done.
*/
frag_msg = fragment_add_seq_next(al_tvb, 0, pinfo,
conv_seq_number,
al_fragment_table,
al_reassembled_table,
tvb_reported_length(al_tvb), /* As this is a constructed tvb,
all of it is ok */
!tr_fin);
next_tvb = process_reassembled_data(al_tvb, 0, pinfo,
"Reassembled DNP 3.0 Application Layer message", frag_msg,
&dnp3_frag_items,
&update_col_info, tr_tree);
Unfortunately this does not take into account the fact that over the same
IP address / port number pairs we may receive messages from many different
source RTUs that should be treated as separate conversations. The problem
we have at the moment is that we are getting fragment re-assembly
occurring for fragments from difference RTUs.
Is there a standard way to handle situations like this? If so can someone
point me to the correct dissector to look at?
We can provide packet captures that demonstrate the issue if desired. It
is considered acceptable to attach a .pcap file to a posting to this
mailing list?
Thanks in advance,
Kelvin Proctor
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
