Wireshark · Ethereal-dev: [ethereal-dev] half-conversations

[andreas.sikkema@xxxxxxxxxxx]

> I.e., you know that there will be a conversation between two machines,
> but you only know the IP address and port number of one of the sides of
> the conversation?

Yes.

> In the case of TFTP, all packets other than the initial one would
> probably be between the same two IP address/port pairs, so a
> "half-conversation" could be created when a packet to the TFTP port is
> seen, and that "half-conversation" could be converted to a full
> conversation as soon as the reply is seen - it'd match all packets
> except the first (although, if we make conversations visible in the UI
> above and beyond the stuff for TCP streams, we might either want to be
> able to make the first packet an "honorary member" of that conversation,
> or leave it as a half-conversation, so that the TFTP conversation
> includes all the packets).
>
> Could a similar scheme be used for H.323?

Yes, I think so, with the difference that the IP address comes from the contents of a frame.

What I have so far (and it seems to work) is that as soon as I dissect an IP address and port
I call a function that checks if the H.245 heuristic dissector was initialized (if not it does so),
it then searches for a conversation where the new IP address and port are a member of, using
a fake address. If the address is not a part of a conversation, a new conversation is created
using the same fake address.

When the heuristic dissector receives a frame, it checks whether the source or destination are
part of a conversation using, both times, the same fake address as mentioned above.

This code is not so bad to the eye, but in a ideal situation you'd want to get rid of the fake address
as soon as you have found out the new destination or source adddress. The problem is you can't
detect if the conversation you're looking for has already lost the fake address, so you wouldn't
win anything, because you'd have to check both the half and full conversations.

In my eyes, the current situation works reasonably well, and getting new code would only
make matters worse.

The current code ( using some C++, but that's not the point ;-) ) is this:

static address fake_addr;
static int heur_init = FALSE;

void h245_add_address( const unsigned char* ip_addr, int prt )
{
	address src_addr;
	conversation_t* pconv = ( conversation_t* ) NULL;

	src_addr.type = AT_IPv4;
	src_addr.len = 4;
	src_addr.data = ip_addr;

	if ( ! heur_init ) {
		heur_dissector_add( "tcp", dissect_h245 );
		heur_init = TRUE;
	}

	pconv = find_conversation( &src_addr, &fake_addr, PT_TCP, prt, 0 );

	if ( ! pconv ) {
		conversation_new( &src_addr, &fake_addr, PT_TCP, prt, 0, NULL );
	}

}

static void h245_init( void )
{
	// Create a fake adddress...
	fake_addr.type = AT_IPv4;
	fake_addr.len = 4;

	unsigned char* tmp_data = new unsigned char[ fake_addr.len ];
	for ( int i = 0; i < fake_addr.len; i++) {
		tmp_data[i] = 0;
	}
	fake_addr.data = tmp_data;
}

gboolean
dissect_h245( const u_char *pd, int offset, frame_data *fd, proto_tree *tree )
{
	/* This is a heuristic dissector, so we first check if
	 * the frame is meant for us.
	 */
	conversation_t* pconv;

	if ( pconv = find_conversation( &pi.src, &fake_addr, pi.ptype, pi.srcport, 0 ) == NULL ) {
		/*
		 * The source ip:port was not what we were looking for, check the destination
		 */
		if ( pconv = find_conversation( &pi.dst, &fake_addr, pi.ptype, pi.destport, 0 ) == NULL ) {
			return FALSE;
		}
	}

	if ( check_col( fd, COL_PROTOCOL ) )   {
		col_add_str( fd, COL_PROTOCOL, "H245" );
	}
	
	if ( check_col( fd, COL_INFO ) ) {
		col_add_fstr( fd, COL_INFO, "H245 found");
	}

	return TRUE;
}

-- 
Andreas Sikkema
andreas.sikkema@xxxxxxxxxxx
"Standing barefoot in a river of clues, most people would 
         not get their toes wet." - Brian Kantor in a.s.r.