Ethereal-dev: Re: [ethereal-dev] filters for ethereal?
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Laurent Deniel <deniel@xxxxxxxxxxx>
Date: Fri, 11 Dec 1998 18:26:50 +0100
Joao Carlos Mendes Luis wrote:
>
> Instead of interpreting a text definition, wouldn't it be better to
> have decoders as dinamic loading pre-compiled modules ?
IMO, having a DLL, a shared library or whatever C code, is the same
as modifying the ethereal C code.
The attached file is an example (from the code I already mentioned)
of what can be done with non compiled text file (yes, I know, it looks
like C, but look carefully ;-)
Laurent.
--
Laurent DENIEL | E-mail: deniel@xxxxxxxxxxx
Paris, FRANCE | deniel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
| WWW : http://www.worldnet.fr/~deniel
All above opinions are personal, unless stated otherwise.#
# common definitions
#
typedef 1 bit;
typedef 4 nibble;
typedef 8 char;
typedef 16 short;
typedef 32 float;
typedef 48 addr_eth;
typedef 64 double;
typedef SIGNED 32 int;
typedef UNSIGNED 8 u_char;
typedef UNSIGNED 16 u_short;
typedef UNSIGNED 32 u_int;
typedef int in_addr;
typedef u_long tcp_seq;
#define UNKNOWN -1
#define ETHERTYPE_PUP 0x0200 /* PUP protocol */
#define ETHERTYPE_NS 0x0600 /* XNS protocol */
#define ETHERTYPE_IP 0x0800 /* IP protocol */
#define ETHERTYPE_ARP 0x0806 /* Addr. resolution protocol */
#define ETHERTYPE_DN 0x6003 /* DECnet protocol */
#define ETHERTYPE_LAT 0x6004 /* LAT protocol */
#define ETHERTYPE_ATALK 0x809B /* Appletalk */
#define ETHERTYPE_AARP 0x80F3 /* Appletalk Arp */
#define ETHERTYPE_RARP 0x8035 /* Reverse Arp */
#define ETHERTYPE_LOOP 0x9000 /* Mop Loopback protocol */
#define ETHERTYPE_RC 0x6002 /* MOP Remote Console */
#define IPPROTO_IP 0 /* dummy for IP */
#define IPPROTO_ICMP 1 /* control message protocol */
#define IPPROTO_GGP 3 /* gateway^2 (deprecated) */
#define IPPROTO_TCP 6 /* tcp */
#define IPPROTO_EGP 8 /* exterior gateway protocol */
#define IPPROTO_PUP 12 /* pup */
#define IPPROTO_UDP 17 /* user datagram protocol */
#define IPPROTO_IDP 22 /* xns idp */
#define IPPROTO_HELLO 63 /* Fuzzball HELLO protocol */
#define IPPROTO_RAW 255 /* raw IP packet */
#define NFS_PORT 2049
#define LOGIN_PORT 513
#define ROUTE_PORT 0x0208
#define LINE_NAME_MAX_LGTH 12
#
# protocol types
#
tcp, proto_ip tcp
udp, proto_ip udp
icmp, proto_ip icmp
NFS, port udp 2049
X, portint tcp 6000 10
login, port tcp login
who, port udp who
shell, port tcp shell
efs, port tcp 520
route, port udp 520
isode, port tcp 102
XEROX_PUP, type_ether 0x0200
XEROX_PUP_AT, type_ether 0x0201
Nixdorf, type_ether 0x0400
XNS_IDP, type_ether 0x0600
XNS, type_ether 0x0601
IP, type_ether 0x0800
X_75_INTERNET, type_ether 0x0801
NBS_INTERNET, type_ether 0x0802
ECMA_INTERNET, type_ether 0x0803
CHAOSNET, type_ether 0x0804
X25_L3, type_ether 0x0805
TCP_ARP, type_ether 0x0806
XNS_COMP, type_ether 0x0807
Xerox_PUP, type_ether 0x0a00
Xerox_PUPAT, type_ether 0x0a01
Banyan_sys, type_ether 0x0bad
Banyan_echo, type_ether 0x0baf
Berkeley, type_ether 0x1000
Berkeley_ip, type_ether 0x1001
DEC_exp, type_ether 0x6000
MOP_DUMP_LOAD, type_ether 0x6001
MOP_RC, type_ether 0x6002
Decnet, type_ether 0x6003, val ether_header 0 byte 0xaa
DNA_ROUTING, type_ether 0x6003, val ether_header 0 byte 0xab
DEC_LAT, type_ether 0x6004
DEC_DIAG, type_ether 0x6005
DEC_CUST, type_ether 0x6006
DEC_SCA, type_ether 0x6007
DEC_AMBER, type_ether 0x6008
DEC_MUMPS, type_ether 0x6009
3Com_1, type_ether 0x6010
3Com_2, type_ether 0x6011
3Com_3, type_ether 0x6012
3Com_4, type_ether 0x6013
3Com_5, type_ether 0x6014
CRONUS_VLN, type_ether 0x8003
CRONUS_DIRECT, type_ether 0x8004
HP_probe, type_ether 0x8005
NESTAR, type_ether 0x8006
EXCELAN, type_ether 0x8010
RARP, type_ether 0x8035
IPX, type_ether 0x8037
BRIDGE_MGMT, type_ether 0x8038
DEC_DSM_DDP, type_ether 0x8039
DEC_DTS, type_ether 0x803e
DEC_LAN_TMP, type_ether 0x803f
DEC_NetBios, type_ether 0x8040
LAST, type_ether 0x8041
ATT, type_ether 0x8069
VLNK_C_1, type_ether 0x807d
VLNK_C_2, type_ether 0x807e
VLNK_C_3, type_ether 0x807f
VLNK_C_4, type_ether 0x8080
EtherTalk, type_ether 0x809b
DCA_1, type_ether 0x80c0
DCA_2, type_ether 0x80c1
DCA_3, type_ether 0x80c2
DCA_4, type_ether 0x80c3
AARP, type_ether 0x80f3
Novell, type_ether 0x8138
SNMP, type_ether 0x814c
MOP_LOOP, type_ether 0x9000
NULL, type_ether 0
mytcp_protocol, val tcp_data 0 long 0xfedcba97
#
# protocol header definitions
#
typedef struct {
u_char destination[6] "destination address" ADDR_ETH;
u_char source[6] "source address" ADDR_ETH;
u_short type "ethernet type" HEX BIG;
} ETHERNET;
typedef struct {
nibble ip_hl "header length in byte" INT BIG;
nibble ip_v "IP version" INT BIG;
u_char ip_tos "type of service" INT BIG;
short ip_len "total length" INT BIG;
u_short ip_id "identification" INT BIG;
short ip_off "fragment offset filed" INT BIG;
u_char ip_ttl "time to live" INT BIG;
u_char ip_p "protocol" INT BIG;
u_short ip_sum "checksum" INT BIG;
u_char ip_src[4] "source address IP" ADDR_IP;
u_char ip_dst[4] "destination address IP" ADDR_IP;
} IP_HEADER;
typedef struct {
u_short th_sport "source port" PORT BIG;
u_short th_dport "destination port" PORT BIG;
tcp_seq th_seq "sequence number" INT BIG;
tcp_seq th_ack "acknoledgment number" INT BIG;
nibble th_x2 "unused" INT BIG;
nibble th_off "data offset" INT BIG;
bit th_flags_fin "flag FIN" INT BIG;
bit th_flags_syn "flag SYN" INT BIG;
bit th_flags_rst "flag RST" INT BIG;
bit th_flags_push "flag PUSH" INT BIG;
bit th_flags_ack "flag ACK" INT BIG;
bit th_flags_urg "flag URG" INT BIG;
bit th_flags_unused1 "flag unused" INT BIG;
bit th_flags_unused2 "flag unused" INT BIG;
u_short th_win "window" INT BIG;
u_short th_sum "checksum" INT BIG;
u_short th_urp "urgent pointer" INT BIG;
} TCP_HEADER;
typedef struct {
u_short uh_sport "source port" PORT BIG;
u_short uh_dport "destination port" PORT BIG;
short uh_ulen "udp length" INT BIG;
u_short uh_sum "udp checksum" INT BIG;
} UDP_HEADER;
typedef struct {
u_short sa_family "address family" INT BIG;
char unused1[2] "unused" ASCII;
u_char ip_src[4] "destination network" NET_NAME;
char unused2[8] "unused" ASCII;
int rip_metric "cost of route" INT BIG;
} SOCK_ADDR;
typedef struct {
u_char rip_cmd "RIP cmd" INT;
u_char rip_vers "protocol version" INT;
u_char rip_res1[2] "pad to 32-bit boundary" ASCII;
} ROUTE_HEADER;
typedef struct {
u_short ar_hrd "format of hardware address" HEX BIG;
u_short ar_pro "format of protocol address" HEX BIG;
u_char ar_hln "length of hardware address" INT BIG;
u_char ar_pln "length of protocol address" INT BIG;
u_short ar_op "operation" INT BIG;
} ARP_HEADER;
typedef struct {
ETHERNET ethernet ethernet.type == ETHERTYPE_IP;
IP_HEADER ip_header;
} IP;
typedef struct {
IP ip ip.ip_header.ip_p == IPPROTO_UDP;
UDP_HEADER udp_header;
} UDP;
typedef struct {
IP ip ip.ip_header.ip_p == IPPROTO_TCP;
TCP_HEADER tcp_header;
} TCP;
typedef struct {
UDP udp udp.udp_header.uh_dport == NFS_PORT ||
udp.udp_header.uh_sport == NFS_PORT;
} NFS;
typedef struct {
TCP tcp (tcp.tcp_header.th_sport >= 6000 &&
tcp.tcp_header.th_sport <= 6010) ||
(tcp.tcp_header.th_dport >= 6000 &&
tcp.tcp_header.th_dport <= 6010);
} X;
typedef struct {
ETHERNET ethernet ethernet.destination[0] & 0x01 &&
ethernet.destination[0] != 0xFF;
} MULTICAST;
typedef struct {
TCP tcp tcp.tcp_header.th_sport == LOGIN_PORT ||
tcp.tcp_header.th_sport == LOGIN_PORT;
} LOGIN;
typedef struct {
UDP udp udp.udp_header.uh_dport == ROUTE_PORT &&
udp.udp_header.uh_sport == ROUTE_PORT;
ROUTE_HEADER route route.rip_cmd == 2 || route.rip_cmd == 1 ;
SOCK_ADDR sock[UNKNOWN];
} ROUTE_CMD;
typedef struct {
ETHERNET ethernet ethernet.type == ETHERTYPE_ARP;
ARP_HEADER arp_h arp_h.ar_hrd == 1 && arp_h.ar_pro == 0x0800;
u_char source[6] "source address hardware fmt" ADDR_ETH;
u_char ip_src[4] "source address protocol fmt" ADDR_IP;
u_char destination[6] "destination address hardware fmt" ADDR_ETH;
u_char ip_dst[4] "destination address protocol fmt" ADDR_IP;
u_char unused[18] "unused" ASCII;
} ARP;
typedef struct {
int type "type of data" INT;
int lgth "length of data" INT;
int data[lgth/4] "array of int" INT;
} ARRAY_INT;
typedef struct {
int type "type of data" INT;
int lgth "length of data" INT;
char info[lgth] "string" ASCII;
} STRING;
typedef struct {
int type "type of data" INT;
int lgth "length of data" INT;
float val "float" FLOAT;
} FLOAT;
typedef struct {
int type "type of data" INT;
int lgth "length of data" INT;
double val "double" DOUBLE;
} DOUBLE;
typedef struct {
int type "type of data" INT;
int lgth "length of data" INT;
float val[lgth/4] "array of float" FLOAT;
} ARRAY_FLOAT;
typedef struct {
int type "type of data" INT;
int lgth "length of data" INT;
double val[lgth/8] "array of double" DOUBLE;
} ARRAY_DOUBLE;
typedef struct {
int type "type of union" INT;
int lgth "length of union" INT;
char name_union[32] "name of union" ASCII;
} UNION_TYPE;
typedef struct {
u_char tp_code "T-Connect Request " INT BIG;
u_short dstref "dst-ref" INT BIG;
u_short srcref "src-ref" INT BIG;
nibble class "class TP" INT BIG;
nibble option "options " INT BIG;
u_char inc1 "inc" INT BIG;
u_char inc2 "inc" INT BIG;
u_char inc3 "inc" INT BIG;
u_char inc4 "inc" INT BIG;
} TPDU_CR;
typedef struct {
u_char tp_code "T-Connect Confirm " INT BIG;
u_short dstref "dst-ref" INT BIG;
u_short srcref "src-ref" INT BIG;
nibble class "class TP" INT BIG;
nibble option "options " INT BIG;
} TPDU_CC;
typedef struct {
u_char tp_code "T-Disconnect Request " INT BIG;
u_short dstref "dst-ref" INT BIG;
u_short srcref "src-ref" INT BIG;
u_char reson "disconnection reason" INT BIG;
} TPDU_DR;
typedef struct {
u_char tp_code "T-Data " INT BIG;
u_char nr "nr" INT BIG;
} TPDU_DT;
typedef struct {
u_char tp_code "T-Expedited Data " INT BIG;
u_short nr "nr" INT BIG;
} TPDU_ED;
typedef struct {
u_char tp_code "T-Error " INT BIG;
u_short dstref "dst-ref" INT BIG;
u_char reject "reject" INT BIG;
} TPDU_ER;
typedef union {
TPDU_CR cr cr.tp_code == 0xe0;
TPDU_CC cc cc.tp_code == 0xd0;
TPDU_DR dr dr.tp_code == 0x80;
TPDU_DT dt dt.tp_code == 0xfe;
TPDU_ED ed ed.tp_code == 0x10;
TPDU_ER er er.tp_code == 0x70;
} KINDOFTPDU;
typedef struct {
ETHERNET ethernet ethernet.type == 0x39 || ethernet.type == 0x41 ||
ethernet.type == 0x37 || ethernet.type == 0x42b ||
ethernet.type == 0x5d || ethernet.type == 0x7c ;
u_char pk_vrsn "version" INT BIG;
u_char pk_rsrvd "reserved" INT BIG;
u_short pk_lenght "frame length" INT BIG;
u_char tp_li "variable length" INT BIG;
KINDOFTPDU montpdu;
char text[UNKNOWN] "Text" ASCII;
} ISO;
typedef union {
STRING string string.type == 1;
FLOAT float float.type == 2;
DOUBLE double double.type == 3;
} U_TEST2;
typedef union {
ARRAY_INT array_int array_int.type == 0;
ARRAY_FLOAT array_float array_float.type == 4;
ARRAY_DOUBLE array_double array_double.type == 5;
UNION_TYPE union_type union_type.type == -1;
} U_TEST1;
typedef struct {
int type "array type" INT;
int lgth "length of union" INT;
U_TEST1 test[-1];
} TEST1;
typedef struct {
int type "1 element" INT;
int lgth "length of union" INT;
U_TEST2 test[-1];
} TEST2;
typedef union {
TEST1 test1[-1] test1.type == 6;
TEST2 test2[-1] test1.type == 7;
} TEST;
typedef struct {
UDP udp udp.udp_header.uh_dport == 12 ||
udp.udp_header.uh_sport == 12;
int nb_union "# union" INT;
TEST test[-1];
} PROTOCOL_TEST;
- Follow-Ups:
- Re: [ethereal-dev] filters for ethereal?
- From: Joao Carlos Mendes Luis
- Re: [ethereal-dev] filters for ethereal?
- References:
- Re: [ethereal-dev] filters for ethereal?
- From: Joao Carlos Mendes Luis
- Re: [ethereal-dev] filters for ethereal?
- Prev by Date: Re: [ethereal-dev] filters for ethereal?
- Next by Date: Re: [ethereal-dev] filters for ethereal?
- Previous by thread: Re: [ethereal-dev] filters for ethereal?
- Next by thread: Re: [ethereal-dev] filters for ethereal?
- Index(es):
