Wireshark · Ethereal-dev: Re: [Ethereal-dev] Another Stupid Question

Ethereal-dev: Re: [Ethereal-dev] Another Stupid Question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: David Frascone <dave@xxxxxxxxxxxx>

Date: Wed, 14 Feb 2001 21:26:38 -0600

Ok, assuming my dissector would just punt on a short packet, should I just
handle a long one with recursion?

i.e.: neato pseudo-code follows: 

semi_smart_dissector(tvb)
{

	check_length_in_packet();

	if (short_packet) // tvbuff shorter than reported packet length
		punt();

	smart_protocol_parser();  // we have at least one good packet

	if (stored length < tvb_length(tvb)) {
		nifty_make_new_tvb_call(tvb, difference in length);
		semi_smart_dissector(newtvb);
	}
}

On Wed, Feb 14, 2001 at 06:13:39PM -0500, Gilbert Ramirez wrote:
> On Wed, Feb 14, 2001 at 04:45:57PM -0600, David Frascone wrote:
> > Do tvbuffers help solve the problem of tcp fragmenting the input stream?
> 
> They possibly help the one problem of tcp reassembly.
> They do help the problem of reaching beyond the end of the packet
> to grab data because the next dissector assumes that it has
> a full packet.
> 
> The TVBUFF_COMPOSITE could be used to take multiple tvbuffs
> (payloads of tcp fragments) and make a new tvbuff from them.
> But there is no code to do that.
> 
> Furthemore, I don't know if that's the right approach for TCP.
> For IP, I think it is, since a fragmented IP packet, when re-combined,
> won't be that big and can be fit into memory.
> 
> TCP, being a stream, could have *many* fragments that when combined would
> not fit comfortably in memory (think of an FTP or HTTP download of
> a big file). Using TVBUFF_COMPOSITEs would require that the tvbuffs
> be in memory. I don't know; perhaps a better approach for TCP would
> be to do what "tcp follow" does and to save the stream to a file first.
> 
> Hmm, yeah. This intermediate "tcp follow" file could be written
> in a format that wiretap understands, have a wtap type of WTAP_ENCAP_TCP,
> and then be read in like any other file.... :)
> 
> But such code does not exist yet.
> 
> > Has this been handled by ethereal, or do I have to put a static buffer into
> > my dissector.
> 
> Not yet, but it has been on the list of things-to-to forever.
> 
> --gilbert
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev

Follow-Ups:
- Re: [Ethereal-dev] Another Stupid Question
  - From: David Frascone

References:
- [Ethereal-dev] Another Stupid Question
  - From: David Frascone
- Re: [Ethereal-dev] Another Stupid Question
  - From: Gilbert Ramirez

Prev by Date: Re: [Ethereal-dev] Core dump in lemon on grammar.lemon
Next by Date: Re: [Ethereal-dev] Another Stupid Question
Previous by thread: Re: [Ethereal-dev] Another Stupid Question
Next by thread: Re: [Ethereal-dev] Another Stupid Question
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$