> I think this is a good idea. Lets think about this a little.
It would make it a lot easier/faster.
> Put this in a file format that ethereal can parse.. something like
> <typename>.parser or something like that.
I think a ./parsers directory, with a map file:
TCP/43 whois.map
TCP/79 finger.map
TCP/110 pop3.map
TCP/113 ident.map
Each map would then contain byte-level decode maps that called out
commands and/or data. Note that the starting point for the decode map
would have to be the first byte of application data (which would have to
be determined prior to calling the parser, in case of extra TCP or IP
headers).
The maps themselves would still have to be complex. Something like:
# Ident decoder
EOL=(0x13,0x10)
if (dest-port=TCP/113) goto Client-Query
if (source-port=TCP/113) goto Server-Response
:Client-Query
IdentTarget = trim(mid$(0,(first(",")-1)))
IdentSource = trim(mid$((Dest-port + 1),EOL))
OSType=""
Identity=""
goto Display
:Server-Response
IdentTarget = trim(mid$(0,(first(",")-1)))
IdentSource = trim(mid$((Dest-port + 1),(first(":") - 1)))
OSType = trim(mid$((first(":") + 1), (second(":") - 1)))
Identity = trim(mid$((second(":") + 1), (EOL - 1)))
goto Display
:Display
print ("Target port = " IdentTarget\n)
print ("Source port = " IdentSource\n)
If OSType <> "" then print ("OS Type = " OSType\n)
If Identity <> "" then print ("Identity = " Identity\n)
end
...which is why I don't program any more. :) Anyway, there'd probably
have to be a script engine of some kind, since the protos vary widely.
> I think all the major protocols that other products support should be
> supported in ethereal with c code, but this would be a feature no one
> else has.
NAI's SnifferBasic (NetXRay regurgitated) uses DLLs for add-on decodes.
This lets them sell a basic kit and then charge for decodes like imap.
--
Eric A. Hall ehall@xxxxxxxxx
+1-650-685-0557 http://www.ehsco.com
