Wireshark · Ethereal-dev: Re: [Ethereal-dev] New FT type

Ethereal-dev: Re: [Ethereal-dev] New FT type

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Glen Turner <glen.turner@xxxxxxxxxxxxx>

Date: Thu, 25 Jan 2001 12:46:29 +1030

Ed Warnicke wrote:
> 
> Just my two sense worth, but my gut tendency is to avoid FT type bloat.
> Do you really need a new type?  What does this new type accomplish
> that cannot be accomplished by the existing FT types?  The more types
> there are the more work has to be done whenever new features are
> introduced that need to be type aware (like dranges).

The alternative point of view is that FT types are infrastructure
that make dissectors easier to write (they become a line of code
per field), allows novice programmers to write dissectors (and most
Ethereal contributors are people doing another job, but need a dissector
for the protocol that is troubling them in that job) and makes the user
experience consistent.

It also allows one variable change to alter the behaviour of that
FT type across all dissectors.  For example, consider someone in
Australia doing a decode of stuff captured in the US.  There's
currently no way to apply a consistent local time offset short
of stuffing about with the operating system.

More precise FT types also help dissector authors from falling
into traps.  Ethereal currently has one type for dotted-quad IPv4
addresses.  This is bad: source addresses are different from
destination addresses are different from route advertisment
addresses are different from subnet masks.  At the moment Ethereal
doesn't highlight impossible multicast source addresses, doesn't
highlight a routing mask of 255.255.255.254 (/31), doesn't
highlight a destination address of 0.0.0.0, doesn't highlight
a route of 127.0.0.0/8-32.

And these are the traps for one seemingly obvious field.

Notoriously complex fields like times and intervals are not
handled well at all.  And worse, they are handled inconsistently
between dissectors.

Protocols also deliberately include parts of other protocols.
So far, fields like TCP port numbers are handled through global
functions rather than being a type.  This will hurt in the longer
term.  For example, when filtering on TCP ports the user needs to
enter an integer, the IANA protocol name is not acceptable.
Having the TCP port as a type is a generic solution to this.

Glen

Follow-Ups:
- Re: [Ethereal-dev] New FT type
  - From: Ed Warnicke
- Re: [Ethereal-dev] New FT type
  - From: Guy Harris

References:
- Re: [Ethereal-dev] New FT type
  - From: Ed Warnicke

Prev by Date: Re: [Ethereal-dev] Crash after applying a filter
Next by Date: Re: [Ethereal-dev] New FT type
Previous by thread: Re: [Ethereal-dev] New FT type
Next by thread: Re: [Ethereal-dev] New FT type
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$