I was thinking about making the next relase of Ethereal be 0.9.0, since we have
some new features that are visible to the user (configural preferences). But
then I thought I'd continue with 0.8.11, and then concentrate on fragmented IP
packets. That would be something very nice to tackle, and would be worthy of a
new minor version.
I was thinking about how to implement IP defragging, and realized that we need
a new container. Here's why.
When I implemented tvbuff's, at first I was going to have the caller of
dissect_packet() create the tvbuff, then call dissect_packet(). But there's a
lot of places that call dissect_packet(), so it was easier to pass the uchar*
to dissect_packet() and have dissect_packet() create the tvbuff. After
dissecting, dissect_packet() destroys the tvbuff(), deallocating all memory
associated with that tvbuff.
That's okay for now, since all tvbuff's are either TVBUFF_REAL_DATA or
TVBUFF_SUBSET. It is likely that we'll use TVBUFF_COMPOSITE for IP defragging.
Once we do that, we have to keep the tvbuff around even after the packet is
dissected, because the unified byte array that represents the defragged packet
exists only within the tvbuff. Once the TVBUFF_COMPOSITE tvbuff is destroyed,
the unified byte array disappears. The current [crappy] proto_tree routines
make their own copy of FT_BYTEs and FT_STRINGs, so that's not the problem.
(Although when I eventually re-do the display filter routines, I was hoping to
not copy the FT_BYTE values, but just store a pointer).
The problem is the packet_hex_print() routine, which is called in
select_packet() after the dissect_packet() returns. packet_hex_print() needs
the data, and in fact, will need to use accept a tvbuff as a parameter once we
create a TVBUFF_COMPOSITE.
So, I'm proposing a container, perhaps called "frame_dissection", which holds
the proto_tree* that is filled out by dissect_packet(), and holds the tvbuff.
The frame_dissection routines will be responsible for creating and deleting
the
tvbuff; dissect_packet() will no longer do it.
Thoughts? Tangents? Vetoes?
--gilbert