Ethereal-dev: Re: [Ethereal-dev] Another Stupid Question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: David Frascone <dave@xxxxxxxxxxxx>
Date: Wed, 14 Feb 2001 21:33:47 -0600
I just realized this won't work either.  It'd be impossible to find the start
of the next packet.  Grrrrr . . . . Am I just SOL?

On Wed, Feb 14, 2001 at 09:26:38PM -0600, David Frascone wrote:
> Ok, assuming my dissector would just punt on a short packet, should I just
> handle a long one with recursion?
> 
> i.e.: neato pseudo-code follows: 
> 
> semi_smart_dissector(tvb)
> {
> 
> 	check_length_in_packet();
> 
> 	if (short_packet) // tvbuff shorter than reported packet length
> 		punt();
> 
> 	smart_protocol_parser();  // we have at least one good packet
> 
> 	if (stored length < tvb_length(tvb)) {
> 		nifty_make_new_tvb_call(tvb, difference in length);
> 		semi_smart_dissector(newtvb);
> 	}
> }
> 
> On Wed, Feb 14, 2001 at 06:13:39PM -0500, Gilbert Ramirez wrote:
> > On Wed, Feb 14, 2001 at 04:45:57PM -0600, David Frascone wrote:
> > > Do tvbuffers help solve the problem of tcp fragmenting the input stream?
> > 
> > They possibly help the one problem of tcp reassembly.
> > They do help the problem of reaching beyond the end of the packet
> > to grab data because the next dissector assumes that it has
> > a full packet.
> > 
> > The TVBUFF_COMPOSITE could be used to take multiple tvbuffs
> > (payloads of tcp fragments) and make a new tvbuff from them.
> > But there is no code to do that.
> > 
> > Furthemore, I don't know if that's the right approach for TCP.
> > For IP, I think it is, since a fragmented IP packet, when re-combined,
> > won't be that big and can be fit into memory.
> > 
> > TCP, being a stream, could have *many* fragments that when combined would
> > not fit comfortably in memory (think of an FTP or HTTP download of
> > a big file). Using TVBUFF_COMPOSITEs would require that the tvbuffs
> > be in memory. I don't know; perhaps a better approach for TCP would
> > be to do what "tcp follow" does and to save the stream to a file first.
> > 
> > Hmm, yeah. This intermediate "tcp follow" file could be written
> > in a format that wiretap understands, have a wtap type of WTAP_ENCAP_TCP,
> > and then be read in like any other file.... :)
> > 
> > But such code does not exist yet.
> > 
> > > Has this been handled by ethereal, or do I have to put a static buffer into
> > > my dissector.
> > 
> > Not yet, but it has been on the list of things-to-to forever.
> > 
> > --gilbert
> > 
> > _______________________________________________
> > Ethereal-dev mailing list
> > Ethereal-dev@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-dev
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev