开发者

Wireshark Dissector: How to Identify Missing UDP Frames?

How do you identify missing UDP frames in a custom Wireshark dissector?

I have written a custom dissector for the CQS feed (reference page). One of our servers gaps when receiving this feed. According to Wireshark, some UDP frames are never received. I know that the frames were sent because all of our other servers are gap-free.

A CQS frame consists of multiple messages, each having its own sequence number. My custom dissector provides the following data to Wireshark:

cqs.frame_gaps          - the number of gaps within a UDP frame (always zero)
cqs.frame_first_seq     - the first sequence number in a UDP frame
cqs.frame_expected_seq  - the first sequence number expected in the next UDP frame
cqs.frame_msg_count     - the number of messages in this UDP frame

And I am displaying each of t开发者_JAVA技巧hese values in custom columns, as shown in this screenshot:

Wireshark Dissector: How to Identify Missing UDP Frames?

I tried adding code to my dissector that simply saves the last-processed sequence number (as a local static), and flags gaps when the dissector processes a frame where current_sequence != (previous_sequence + 1). This did not work because the dissector can be called in random-access order, depending on where you click in the GUI. So you could process frame 10, then frame 15, then frame 11, etc.

Is there any way for my dissector to know if the frame that came before it (or the frame that follows) is missing?

The dissector is written in C.

(See also a companion post on serverfault.com)


You should keep in mind that Wireshark does dissection multiple times. First time it dissects packets in strict order when you load file. Then it calls dissectors when you scroll packet_tree_view or select a packet to build it's tree.

You can check if a dissector is called fot ther first time:

 if (PINFO_IS_VISITED(pinfo)) { ... };

Your dissector should behave differently for the first and for the next dissections.

At first dissection you have to store some information for each packet (in a hash table for example) as it's sequence number and if it is out of order. You will need it to build packet tree properly when you are called second time.


I don't konw if you can peek into previous or following frames, but when Wireshark is loading a tcpdump it will call your dissector on each of the frames in order. So I could add a static local variable which is an array or hash table and simply store your values in there. Then your dissector can check that array for previous and following frames and do its analysis.

You should look at that pinfo vairable, that's one of the function arguments for information about the frame number, IP information etc.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜