revisit this reassembly (in a multi-pass program such as Wireshark, or
TShark with -2), we'll throw the same error.
In fragment_set_tot_len(), allow the length to be set to a value that's
before the offset of existing fragments; we'll catch that later when the
reassembly completes. This lets us handle some problems with DTLS less
confusingly.
When adding frames to an already-completed reassembly, check for
fragments that overlap existing fragments or go past the end of the
reassembly, and report errors.
When completing a reassembly, make the buffer for the reassembled data
big enough to contain the specified data length for the reassembly, even
if that's less than the offset + length of the last fragment. Flag all
fragments that go past that length as "too long", and only copy out what
part of them fits, if any. That lets us flag the correct fragment or
fragments as being "too long".
When adding fragments, do some additional checks, even if we're not
doing the first pass through the packets, so errors that show up in the
first pass also show up on subsequent passes.
svn path=/trunk/; revision=48909
be done on flows from one address to another; reassembly for protocols
running atop TCP should be done on flows from one TCP endpoint to
another.
We do this by:
adding "reassembly table" as a data structure;
associating hash tables for both in-progress reassemblies and
completed reassemblies with that data structure (currently, not
all reassemblies use the latter; they might keep completed
reassemblies in the first table);
having functions to create and destroy keys in that table;
offering standard routines for doing address-based and
address-and-port-based flow processing, so that dissectors not
needing their own specialized flow processing can just use them.
This fixes some mis-reassemblies of NIS YPSERV YPALL responses (where
the second YPALL response is processed as if it were a continuation of
a previous response between different endpoints, even though said
response is already reassembled), and also allows the DCE RPC-specific
stuff to be moved out of epan/reassembly.c into the DCE RPC dissector.
svn path=/trunk/; revision=48491
No, ReportedBoundsError is not the right thing to throw, ReassemblyError is.
That's why I added it in the first place!
svn path=/trunk/; revision=48123
instead of using DISSECTOR_ASSERT. When a dissector passes bad data to the
reassembly machine, that isn't necessarily the dissector's fault - the data may
come straight from the packet, and the dissector may not have enough information
to know it's bad without telling the reassembly machine in the first place.
Also fix a bug in the reassembly machine. If it were given a fragment and all of
the following conditions were met:
- the other associated fragments were already marked as done (reassembled)
- the fragment went beyond the end of the conceptual reassembled buffer
- the dissector had not set the PARTIAL_REASSEMBLY flag
then the reassembly machine would incorrectly think there was an overlap and
run past the end of the already-reassembled buffer.
Should fix the rest of
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8380
#BACKPORT
This is probably too big and intrusive to backport directly, and parts of it
will need adapting anyways since reassemble.c has changed. But the bug exists
and crashes in 1.6 and 1.8, so we'll have to do something.
svn path=/trunk/; revision=48011
sanity checks before setting a packet's total length in
fragment_set_tot_len()
(from me: check if fragments exist for the given id)
hopefully, this fixes#8111 and #8163 without causing troubles for other
protocols that use fragmentation and reassembly
svn path=/trunk/; revision=46999
The reassembled fragments tree in the Packet Details view is awesome, but it
lacks one thing: a field that exposes the reassembled data.
tcp.data already exists for exposing a single TCP segment's payload as a byte
array. It would be handy to have something similar for a single application
layer PDU when TCP segment reassembly is involved. I propose
tcp.reassembled.data, named and placed after the already existing field
tcp.reassembled.length.
My primary use case for this feature is outputting tcp.reassembled.data with
tshark for further processing with a script.
The attached patch implements this very feature. Because the reassembled
fragment tree code is general purpose, i.e. not specific to just TCP, any
dissector that relies upon it can add a similar field very cheaply. In that
vein I've also implemented ip.reassembled.data and ipv6.reassembled.data, which
expose reassembled fragment data as a single byte stream for IPv4 and IPv6,
respectively. All other protocols that use the reassembly code have been left
alone, other than inserting NULL into their initializer lists for the newly
introduced struct field reassemble.h:fragment_items.hf_reassembled_data.
svn path=/trunk/; revision=44802
make Save-As/Displayed/All-Packets save not only the displayed packets but
also any other packets needed (e.g., for reassembly) to fully dissect the
displayed packets.
This works only for the "All packets" case; choosing only the Selected packet,
the Marked packets, or a range of packets would require actually storing which
packets depend on which (too much memory) or going through the packet list many
times (too slow). Also, this behavior is always the case: you can't save the
displayed packets without their dependencies (I don't see why this would be
desirable).
So far this is done for SCTP and things using the reassembly routines (TCP has
been tested).
The Win32 dialog was modified but hasn't been tested yet.
One confusing aspect of the UI is that the Displayed count in the Save-As
dialog does not match the number of displayed packets. (I tried renaming the
button "Displayed + Dependencies" but it looked too big.) The tooltip tries
to explain this and the fact that this works only in the All-Packets case;
suggestions for improvement are welcome.
Implementation details:
Dissectors (or the reassembly code) can list frames which were needed to
build the current frame's tree. If the current frame passes the display
filter then each listed frame is marked as "depended upon" (this takes up the
last free frame_data flag).
When performing a Save-As/Displayed/All-Packets then choose packets which
passed the dfilter _or_ are depended upon.
svn path=/trunk/; revision=41216
in README.devloper. Remove g_gnuc.h since it's no longer needed. Remove
tvbuff_init(), tvbuff_cleanup(), reassemble_init(), and
reassemble_cleanup() since they were only used for older GLib versions
which didn't support GSlices. Assume we always support the "matches"
operator.
svn path=/trunk/; revision=37978
http://www.wireshark.org/lists/wireshark-dev/200910/msg00074.html
g_slice allocing the keys should make it possible to walk the
fragment table and free the fragments once they are g_slice_alloced.
It remains fo figure out how to do that.
svn path=/trunk/; revision=37112
current fragment pushes us past the reassembled size: it may be that the
current fragment is a duplicate/retransmission and will be ignored.
Also, if we detect a conflict between a previous and the current fragment,
flag the current (conflicting) fragment as FD_OVERLAPCONFLICT. Do *not* flag
the fragment that got us into the reassembly routine (probably the final
fragment): it is not (may not be) the guilty fragment.
Clean up some spacing.
Also add reassembly tests for duplicate/retransmitted fragments.
svn path=/trunk/; revision=36131
the data source does not need to be allocated if (!tree).
Rev 30158 took the if (!tree) check out indicating that the check was invalid.
So: (since packet_add_new_data_source() now only calls add_new_data_source()),
remove packet_add_new_data_source().
svn path=/trunk/; revision=34717
compiling again.
fragment_add_seq_check(), fragment_add_seq_802_11(), and fragment_add_seq_next()
all call fragment_add_seq_check_work() so make their prototypes match each other
in const-ness. This fixes a warning when compiling reassemble_test.
svn path=/trunk/; revision=32933
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4422
From me: Fix a number of instances where the function prototype or
the function definition wasn't changed so there was a mismatch
thus causing Windows (but not gcc) compilation errors.
svn path=/trunk/; revision=32365
- it contains pointers to a couple malloc()'d addresses
- it is inserted in the fragment table (the contents of which are
g_free()'d in free_all_fragments())
Instead, do like fragment_key_copy() and use a g_slice or g_chunk, depending
on the glib version.
svn path=/trunk/; revision=30599
1) The tvb + name (aka. data_source) is only used when the protocol tree is visible
The current implementation of add_new_data_source() doesn't take this into account and simply allocates a data_source regardless. This is what packet_add_new_data_source() tries to rectify.
A couple of dissectors have already been switched over to the new packet_add_new_data_source(). Many are still missing. Help appreciated!
svn path=/trunk/; revision=29427
fragmented data without adding an empty data fragment.
This is used by the RTSE dissector which can't identify the
last fragment until after it has been added.
svn path=/trunk/; revision=22174
01_reassemble_test.patch
------------------------
I didn't want to do anything without some unit tests, so here they are.
This allows a standalone binary, epan/reassemble_test, to be built; this can be run from the commandline and should end up printing out "success"
if all goes well.
NOTE the changes to makefile.am NOT checked in currently.
Incidentally: is it possible to get the buildbot to run things like this, exntest and tvbtest?
02_reassemble_refactor.patch
----------------------------
fragment_add_seq, fragment_add_dcerpc_dg and fragment_add_seq_check_work were all pretty much carbon-copies of each other. This patch factors out the common parts of the routines into a new routine, fragment_add_seq_key().
03_reassemble_partial_reassembly.patch
---------------------------------------
This makes fragment_set_partial_reassembly() work for datagrams assembled with fragment_add_seq(). The patch itself is actually quite small, but it adds another unit test which is reasonably lengthy.
svn path=/trunk/; revision=20888
having been reassembled.
Fix the comments in reassembly.c and reassembly.h regarding what the reassembly
routines actually return in the 802.11 and no-sequence-number cases when they
are given the first and last packet (that is, a non-segmented packet): in
particular the routines return a pointer to a list containing just the one
fragment.
svn path=/trunk/; revision=20505
add a check to fragment_add_common() if the given tvb parameters are ok, otherwise throw a DissectorError
add some more symbols to libethereal.def
svn path=/trunk/; revision=17073
Find attached a couple of changes for t38:
- Use the dissector to reassemble t30 frames
- Dissect t30 protocol
- Move the "Fax t38 analysis" to the "VoIP Calls". Now when selecting
"Statistics"->"Fax t38 analysis" option, there is a message that
redirect the user to use the "Voip calls" instead. We may keep this
option for one release, and then remove it ?
- Added in the "Voip calls" the ability to detect a t38 call if there
are not signaling associated with it. For example, when using "Decode
as.." to dissect t38 packets, it is possible to use the "Voip calls" to analyze that call.
- Display "SDP (t38)" in the "Voip calls graph" for SDP t38 sessions.
Regards
Alejandro Vaquero
svn path=/trunk/; revision=17033
in addition, I had to implement fragment_get_reassembled() in addition to fragment_get(), which works with reassembled_table
svn path=/trunk/; revision=15762
as connection oriented (cn) and connectionless (dg) DCE/RPC uses different ways to handle defragmentation and this function is only used for dg
svn path=/trunk/; revision=15757
reassemble.c:
I had to change the way the reassemble code works if the dissector is telling that more fragments *will* follow. In this case the reassemble code shouldn't try to reassemble already at that time ...
I've also changed the way if a fragment was already seen or not, as it's not enough to check for the frame number, in the scenario described above.
Unfortunately both changes *might* broke other protocols from reassemble properly. I've checked with excessive TCP desegmentation and it's still working without any changes :-)
packet-dcerpc.c:
use a tvb subset to limit the "end of bytes" processed in a single fragment dissect run, as each fragment has it's own DCE/RPC header (and isn't part of the stub data of the previous packet).
svn path=/trunk/; revision=15744
dissector says "sorry, I need even more data in this packet", don't flag
that packet as being reassembled in that frame. Indicate that we should
perhaps do all the "partial reassembly" stuff in
"fragment_set_partial_assembly()", which would obviate the need for the
hack in the TCP dissector.
Clean up indentation.
svn path=/trunk/; revision=15139
FD_NOT_MALLOCED set, has to be copied - all FD_NOT_MALLOCED means is
that the fragment's data is part of the old reassembled data, rather
than a malloced chunk of its own (this happens if, after reassembly, the
dissector says more reassembly is necessary, as can happen, for example,
in the case of HTTP and other protocols where reassembly continues until
a terminator is seen). Not copying the data means that the reassembled
data is, in part, whatever random junk happens to be in the
newly-allocated buffer.
Back out the change not to copy the data, but add some sanity checks, in
the hopes of preventing the crash that caused the change not to copy the
data to be added, and in the hopes of discovering the ultimate source of
that crash and fixing it.
svn path=/trunk/; revision=15057