Ethereal-dev: Re: [ethereal-dev] Ethereal - Displaying IPX Net names and hostna mes in capture
On Mon, Nov 08, 1999 at 04:34:27PM -0600, Farley, Tim (ISSAtlanta) wrote:
>
> There is an API available inside NETMON that lets a "parser" (what Ethereal
> calls a "dissector") tell NETMON when it has found a name in a packet. When
> parsing a packet that has a system name in its payload, you yank the name
> out of the packet and pass it to the API. Then NETMON knows that name is
> associated with the addressing on that packet. Of course, you need a way
> in
> the API to tell which side of the connection the name is associated with.
> For other cases, instead of taking the addressing off the packet, you'd
> want
> to pass an address to the API so for instance if you were parsing a DNS
> zone
> transfer, you could build up an address list as you saw it go by.
>
> This scheme works amazingly well, because typically network applications
> will "look up" the name of a system right before the contact it. So in
> many
> cases the names you want are right there in the data you captured.
What worries me are the cases in which an address is used (perhaps by
another host) *before* a name lookup is made. Let's say some IPX client
is talking to our server, so we add this line the the packet summary GUI
C0A82C00.0000f6000001 00000BAD.000000000001 NCP File read
And then we find the SAP naming our 0xC0A82C00 and 0xBAD network (or server).
How should ethereal go back and update the text it has already printed
in the packet summary?
Should two passes be made? We could mark those packets which had a name which
could not be resolved, so after parsing a file, if we made any updates to our
name cache, we could go back and re-parse those packets.
--gilbert
