Wireshark · Ethereal-dev: Re: [ethereal-dev] Keeping state for SMB decodes

Ethereal-dev: Re: [ethereal-dev] Keeping state for SMB decodes

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxxxxx>

Date: Fri, 22 Oct 1999 00:28:05 -0700

I checked the conversation code in, and the code to generalize
"pi.ip_src" and "pi.ip_dst" - dissectors now don't set the source and
destination address or port columns, they just set the appropriate
members of "pi", and the "fill_in_columns()" routine will set the
columns when the dissection is done.

(Right now, some dissectors still set the columns directly; this will
still work, unless a lower-level dissector sets
"pi.dl_src"/"pi.dl_dst"/"pi.src"/"pi.dst" and a higher-level dissector
sets the network-layer source column directly; there are some dissectors
that still set the network-layer source column directly, but I'll fix
those next.)

To add a new address type, you add a new AT_ value to the "address_type"
enum in "packet.h", and a new case to the "col_set_addr()" routine in
"file.c".

> Right now, I don't do anything clever with port numbers; however, to
> handle, say, SMB over protocols other than TCP, we probably want to
> figure out some way of generalizing port numbers.  For example, the LLC
> code might use the SSAP and DSAP as port numbers (to handle SMB over
> NetBIOS Frame over LLC Type 2); I don't know what would be done for,
> say, Novell or OSI protocols.

I added a "port_type" enum, similar to the "address_type" enum, and have
the dissectors set it; currently, there's only PT_UDP and PT_TCP.

The conversation changes mean that SMB should now transparently handle
TRANSACT2 (a request type where the request contains a transaction type,
but the reply does *not*, so you need to find the reply that matches a
given request in order to dissect the reply) in
NetBIOS-over-TCP-over-IPv6 - and may also handle NetBIOS over other
protocols (NetBIOS Frame, probably, as it uses "src"/"dst" rather than
"net_src"/"net_dst"; we *might* have to set the port for various flavors
of NetBIOS over IPX in order to get the transaction-matching to work
there.

It also means that AFS should also transparently handle UDP-over-IPv6.

Currently, the code for "Follow TCP Stream" doesn't use the conversation
stuff; however, it does check for IPv4 addresses (the code as it stands
thinks network-layer addresses are 4 bytes long).  It should probably be
changed to use the conversation stuff at some point.

References:
- [ethereal-dev] Keeping state for SMB decodes
  - From: Richard Sharpe
- Re: [ethereal-dev] Keeping state for SMB decodes
  - From: Guy Harris

Prev by Date: Re: [ethereal-dev] New code from NTP.
Next by Date: Re: [ethereal-dev] Bug in display filter
Previous by thread: Re: [ethereal-dev] Keeping state for SMB decodes
Next by thread: Re: [ethereal-dev] Keeping state for SMB decodes
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$