For example, as shown in the image below, if I have two UDP packets in different frames, frames 39 and 40, how would I go about dissecting them together? I need data from both packets. I assume I can't use reassembly, since reassembly is for split packets.
Would I need to use more then one dissector?
Frames 39 and 40 say "Message fragment", which presumably means that they are fragments of a single larger message.
If so, that means that the single larger message has been split into multiple fragments, so you would need to reassemble those fragments to construct the larger message.
Oh no that's not it, I just set the text in the column to say "Message fragment" (for no reason really), these aren't actually fragments. Sorry for the confusion.
OK, then if you want help you will need to explain, in detail, how your protocol is structured. Picking "Message fragment" as column text, for "no reason really", does not help us understand how your protocol works!
Apologies! I changed the image if that helps. At the moment, my protocol just simply takes in all packets from UDP port 10160, and changes the text in the column. I need information from both packets 39 and 40 in order to do my dissection. However, I don't know how to dissect both packets in a single dissector.
Then this is the stuff for 'conversations'. You setup conversations on the first pass through the dissection and add protocol related information to it (in this case in packet 39) which you can then use later (in this case in packet 40). There's information on this in the README files in the source tree.
Note that if the dissection of packet 39 depends on the dissection of packet 40, this is more difficult - and can't work if you're doing a one-pass dissection in TShark.
Thank you.
Comments