Wireshark · Ethereal-dev: [Ethereal-dev] packet-nfs, filename-fhandle snooping

Ethereal-dev: [Ethereal-dev] packet-nfs, filename-fhandle snooping

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Pia Sahlberg" <piabar@xxxxxxxxxxx>

Date: Mon, 13 Aug 2001 23:27:54 +0000

Hi list,

New attempt. Patch is sent in both tgz format and uuencoded format.
Please tell me which worked best.

Attached is a patch which snoops NFSv3LOOKUP packets and matches fhandleswith filenames.For every fhandle where the filename is known, the fhandle structure isextended in the tree pane with a searchable "nfs.name" file name entry.


To activate this feature, edit preferences/nfs

One problem I saw which someone with better knowledge of display filterscould help me with is :dissect_nfs_fh3() is also called from related protocols as Mount, NLM, etc.But when searching for "nfs.name" ethereal will not find any of thematching entries in say NLM.Something in ethereal will only match "nfs.name" when called from within thenfs dissector. I did not have time right now to figure out why.


have fun
  ronnie sahlberg



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

Attachment: nfs_snoop.tgz
Description: application/gzip-compressed

Attachment: nfs_snoop.uu
Description: application/base64

nfs filename snooping
=====================
[Menu: Edit/Preferences/NFS/snoop fhandle to filename mappings]
When enabled, this option will enable ethereal to snoop all LOOKUP packets
to learn the mapping between fhandles and filenames.
For every fhandle where the corresponding filename is learned an additional
item will be displayed in the tree pane :

Example: "Filename: foo.txt  (snooped from frames 29 and 30)"

This entry use the same "nfs.name" display filter variable as the normal

nfs filenames which means that applying the display filter"nfs.name=='foo.txt'"

will find both where the filename "foo.txt" was found in a packet as well as
all fhandle structures seen which corresponds to that name.

This setting also affects the nfs related protocols, NLM, MOUNT, KLM,HCLNFS, which use

the same fhandle structures as NFS.


This feature can only be used in ethereal and is not available in tethereal.

By enabling this feature the memory requirement for the ethereal willincrease.

Performance can be (but not be noticeably) affected by this feature.

BUGS:
This feature will currently only examine NFSv3:LOOKUP packets.
Please expand to other versions of NFS/other commands as required.

Prev by Date: Re: [Ethereal-dev] Unicode strings ...
Next by Date: Re: [Ethereal-dev] Unicode strings ...
Previous by thread: Re: [Ethereal-dev] packet-nfs.c
Next by thread: [Ethereal-dev] Crash in Win32 Ethereal-0.8.19
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$