Wireshark · Ethereal-dev: [ethereal-dev] Table-driven packet dissection?

Ethereal-dev: [ethereal-dev] Table-driven packet dissection?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Richard Sharpe <sharpe@xxxxxxxxxx>

Date: Mon, 08 Feb 1999 01:39:49 +1000

Hi,

I wanted to add support for SMB into ethereal, and support for this, and that,
and then I looked at the code ...

While ethereal is great, I would like to get rid of Win95 and NetMon, but I
can't.

It seems that a big stumbling block to adding new dissection routines to
ethereal at the moment is that you have to know a lot about the code
organization, and you have to find the routine you need to change, then you
have to hack in a call to your new routine, etc.

It struck me that there had to be better way to do this, and I thought that
a table-based approach would be better.

Before I invest too much effort, however, let me describe what I want to
do, and if it is already in progress, well and good. If not, then feedback
would be appreciated.

GOALS.

1, Allow ethereal to be modified more easily.  This will allow the adding
   of new protocol dissect routines without one needing to know the how to
   modify the base code

2, Allow new ethereal modules to be added as dynamically linked libraries 
   that are loaded at runtime with dlopen or some such

SPECIFICS

I propose having a table driven approach. At any protocol level, from
FRAME_TYPE to the highest (eg, SMB type) we would have a table that
contains things like:

  Protocol name
  Offset into packet and length
  Series of (value, dissect routine, next level table 3-tuples)

Although obviously, for this last, we will want a more efficient structure
than the obvious.  Perhaps minimal perfect hashing will be needed in some
cases.

Routines would be registered in tables, and we would have a hierarchy,
something like:

   /ethernetV2/IP/TCP/SMB 

and a series of linked tables.

At each level, when a routine is called, it is passed the next level table
if any, otherwise NULL.
  
A routine is defined like:

   dissect_IP(packet, next-table, gtk-pointers it needs ...)

There will need to be a set of routines to manage the dissect tables.
Routines to add tables, add elements, etc.  I think there will be a need to
add a routine dynamically to handle things like TFTP, etc.

So, has it all been done before?  Am I just blowing hot air?  Etc.



Regards
-------
Richard Sharpe, sharpe@xxxxxxxxxx, NIC-Handle:RJS96
NS Computer Software and Services P/L, 
Ph: +61-8-8281-0063, FAX: +61-8-8250-2080, 
Samba (Team member), Linux, Apache, Digital UNIX, AIX, C, ...

Follow-Ups:
- Re: [ethereal-dev] Table-driven packet dissection?
  - From: Guy Harris
- Re: [ethereal-dev] Table-driven packet dissection?
  - From: Guy Harris

Prev by Date: [ethereal-dev] Patch to make capture counts work right on non-Ethernet
Next by Date: Re: [ethereal-dev] Table-driven packet dissection?
Previous by thread: [ethereal-dev] Patch to make capture counts work right on non-Ethernet
Next by thread: Re: [ethereal-dev] Table-driven packet dissection?
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$