Doing my own message reassembly doesn't work because I have header information I have to strip out in order to get a contiguous payload. Here's a generalization of what I'm dealing with:
Message 1 header: > indicates a size of message 1 > other data Message 1 body: > indicates that this is a multi-part message > indicates payload length > other data > first part of payload Message 2 header: > indicates size of message 2 > other data Message 2 body: > second part of payload ... Right now, I use tcp_dissect_pdus to aggregate the individual messages, like Message 1 and Message 2 above. I then copy out the payload into an allocated memory space so that I can dissect the payload as a tvbuff. Best regards, M. Scott Mueller -----Original Message----- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Scott Mueller Sent: Monday, September 27, 2010 1:43 PM To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] composite tvbuffs Hi Stephen, Section 2.7.2 is basically about doing the work that tcp_dissect_pdus does, and that is certainly an option. Large messages composed in the way I described with my protocol (which uses TCP) are a special case; I didn't want to re-work everything for this. Composite tvbuffs sounded like a good way to deal with this. If they don't work, I'll have to bite the bullet and do the work. Thanks again, Best regards, M. Scott Mueller -----Original Message----- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Stephen Fisher Sent: Friday, September 24, 2010 10:17 PM To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] composite tvbuffs On Fri, Sep 24, 2010 at 05:33:25PM -0700, Scott Mueller wrote: > Thank you for your response. I'm working with a multi-layered protocol > that relies on TCP/IP, and in some cases the contiguous payload that I > need to work with is spread out across several well-formed messages. Have you looked at the reassembly information in README.developer, specifically section 2.7.2, "Modifying the pinfo struct" ? That may do the job for you, especially if the messages span multiple TCP segments. The preceding section about using tcp_dissect_pdus could work too, but it's geared toward simple TCP reassembly. ________________________________________________________________________ ___ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ________________________________________________________________________ ___ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
