Wireshark · Ethereal-dev: Re: [Ethereal-dev] a question about discontinuous tvbuffs

Ethereal-dev: Re: [Ethereal-dev] a question about discontinuous tvbuffs

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Ed Warnicke <hagbard@xxxxxxxxxxxxxxxxxxx>

Date: Sun, 15 Apr 2001 12:02:27 -0400 (EDT)

On Sun, 15 Apr 2001, Guy Harris wrote:

> On Sun, Apr 15, 2001 at 12:53:16AM -0400, Ed Warnicke wrote:
> > How well do the byte selections in the data pane of ethereal deal 
> > with this?  If I highlight a field in the dissection pane should I expect 
> > the discontinous sections of the data to be highlighted in the data
> > pane?  What about if I click on a byte in the data frame, will the 
> > inverse mapping work properly?  What if the mapping from data in a 
> > packet back to fields isn't one-to-one?  
> 
> Good question.  I don't think that's ever been tested.  It could well
> not work - the code to handle that may well not even have been
> *written*.
> 
> However:
> 
> > In the process of tvbuffing the dns dissector I'm looking at setting 
> > up tvbuffs for dns names that are backed by discontinous sections 
> > of the backing tvbuff.  This is to handle DNS message compression 
> > as described in RFC 1035, section 4.1.4, page 30.
> > 
> > The problem is that a given section of the dns message may be 
> > part of multiple DNS names, and therefore multiple RR via this 
> > compression.  Thus the lack of one-to-one-ness.
> 
> ...I'm unconvinced that this is the correct way to handle this.  A
> protocol tree item for a compressed DNS name currently, when selected,
> highlights only the field, not the fields to which it points; I think
> that's the correct way to handle it.
> 
> So I wouldn't create new tvbuffs for this.  Instead, I'd just use
> "tvb_get_guint8()" to fetch bytes from the DNS request in
> "get_dns_name()", i.e. instead of
> 
> 	xxx = *dp++;
> 	offset++;
> 
> I'd do
> 
> 	xxx = tvb_get_guint8(tvb, offset);
> 	offset++;
> 
> and so on.
> 
I disagree.  One of the really useful purposes I see for ethereal is 
pedagogical.  Ethereal is a useful for allowing people to see the 
structure of protocols that they had only read about in RFCs previously.
Showing people the bytes things come from is a part of this.  

I've worked with others who where trying to sort out how some 
protocol or other works who used ethereal to do so, rather than sitting
down with a hex dump and a pencil to scribble out how these 
things work. 

Having get_dns_name() return a tvbuff, and using that tvbuff so as to 
have the bytes in the data pane highlighed when you select the appropriate
field in the dissection pane does a lot to facilitate this.

Ed

Follow-Ups:
- Re: [Ethereal-dev] a question about discontinuous tvbuffs
  - From: Guy Harris

References:
- Re: [Ethereal-dev] a question about discontinuous tvbuffs
  - From: Guy Harris

Prev by Date: Re: [Ethereal-dev] a question about discontinuous tvbuffs
Next by Date: [Ethereal-dev] Documentation
Previous by thread: Re: [Ethereal-dev] a question about discontinuous tvbuffs
Next by thread: Re: [Ethereal-dev] a question about discontinuous tvbuffs
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$