Ethereal-dev: Re: [ethereal-dev] Should "Follow TCP Stream" filter the display or not?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Mike Hall <mlh@xxxxxx>
Date: Wed, 25 Aug 1999 17:34:43 -0500 (CDT)
On Wed, 25 Aug 1999, Ashok Narayanan wrote:

> Actually, I have something to say about this. Protocols which run over 
> TCP typically are not cognizant of packet boundaries; they have their
> own internal packetization. Having these protocols limited to IP
> packets means that a large packet in a TCP flow which has many IP
> packets (or many small protocol packets in a single IP packet) is not
> handled well. This weakness is evident in MS Netmon as well. 

True.

> I think we have an opportunity to do something different
> here. Basically, for a TCP connection, you find all the packets in
> that connection, extract the data portion of those packets, write them 
> to a separate (temporary) file, then run a protocol-only decoder on
> that data - perhaps in a separate window. I have some demo code for
> this which I'll send in shortly. This will allow us to write TCP-based 
> protocol decoders properly.

This should be easy to add into the follow TCP code. The code already
should handle IP fragments, IP arriving out of order wrt the sequence
number, and IP fragmentation that causes overwrites on some of the data
already recieved (rare case.) The data is currently being sent out to the
window that pops up, but I always intended to make some TCP service based
filters that would process this information. The first one I thought of
was a TELNET filter that would convert all the termnial information and
other enviornmant stuff that is passes during a TELNET setup. Then display
the text properly. Right now, looking at TELNET works, but you have alot
of trash at the beginning. I wrote the code with the intention of having
the filter. I have not looked to see if any changes have been done lately,
but the "raw data" should be written out to a temp file and then read back
in. You could insert the TCP service based filter when you read that temp
file back in.

I feel bad that I have not been able to do everything I wanted to when I
first added the follow code, but my day job work has been demanding, and I
have been helping a friend of mine who started the Trinux distribution of
Linux. Hopefully, some time in about two months, I will have some more
time to dedicate to ethereal. Until then, if you guys have any questions
about the follow tcp code, let me know.

> As far as having a filter to select all IP packets in a TCP
> connection, that can be a separate filter option - maybe from the
> menu. We'd use the same (or a similar) filter to actually find the
> packets for the above stuff, but it would not be in the same window et 
> al.

I think adding a "set filter to this connection" and "set filter to these
two IP" might be very useful as menu items.

--Mike

+===================================================================+
| Mike Hall               Real programmers dream in Java.           |
| mlh@xxxxxx          Linux rules! Everything else just works.      |
+===================================================================+
|             finger mlh@xxxxxx for public PGP key                  |
+===================================================================+