Wireshark · Ethereal-dev: Re: [ethereal-dev] Graphs

Ethereal-dev: Re: [ethereal-dev] Graphs

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Gilbert Ramirez <gram@xxxxxxxxxx>

Date: Wed, 15 Sep 1999 00:28:03 -0500

On Tue, Sep 14, 1999 at 11:12:37PM -0500, Bibek Sahu wrote:
> 
> 	I've skimmed through those already; I suppose it's now time to do a
> thorough analysis.
> 
> 	In particular, I need to know the details of how to dissect an
> already-built protocol tree (specifically pulling that tcp info out of it).
> 

The functions that dfilter.c uses to find protocols and fields in
a proto_tree show how to walk the tree. These functions are a bit
complicated, since I try to speed up certain cases. You might be able
to use some of them. For example, proto_find_protocol_multi() searches
a proto_tree, looking for a protocol (say, "proto_tcp"), and for every
subtree in which it finds the protocol, it calls your callback function.
Your callback function is passed the GNode* representing the tree under
that protocol.  Because of tunnelling, TCP packets can occur within other
TCP packets -- that's why proto_find_protocol_multi() has the "multi" in it.
You'll have to watch out for multiply-occuring protocols as well.
I don't have a proto_find_protol_uni() function, which would return the
_first_ instance of a protocol within a packet, but it would be easy
to write.

A proto_tree is really a GNode. You should read the GLIB documentation
about GNodes (and the g_node_* functions). These functions,
as well as most of GLIB, GTK+, and GDK functions are documented at
http://www.gtk.org/rdp/.

proto_check_for_protocol_or_field() is the most straightforward
example, although it is lengthy. It does a g_node_traverse() call
on the proto_tree, using check_for_field_within_protocol() as the
callback function executed on each node. Here I walk the tree only
through the first two layers. The first layer is one empty node which
holds the nodes representing each protocol. The second layer is
these "protocol" nodes.

I then have check_for_field_within_protocol() do _another_ g_node_traverse,
along the entire depth of the protocol subtree (that is, the node
that was passed to it by the first g_node_traverse). So, once a protocol's
subtree is found, the entire subtree is searched to check for the
existene of a field within that subtree.

--gilbert

References:
- Re: [ethereal-dev] Graphs
  - From: Guy Harris
- Re: [ethereal-dev] Graphs
  - From: Bibek Sahu

Prev by Date: Re: [ethereal-dev] Graphs
Next by Date: Re: [ethereal-dev] Graphs
Previous by thread: Re: [ethereal-dev] Graphs
Next by thread: Re: [ethereal-dev] Graphs
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$