Wireshark · Ethereal-dev: Fw: [Ethereal-dev] SMBpatch for read/write and x

Ethereal-dev: Fw: [Ethereal-dev] SMBpatch for read/write and x

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Ronnie Sahlberg" <rsahlber@xxxxxxxxxxxxxx>

Date: Thu, 29 Nov 2001 08:18:40 +1100

Subject: Re: [Ethereal-dev] SMBpatch for read/write and x

 Hi,

 From: "Tim Potter"
 Sent: Thursday, November 29, 2001 7:27 AM
 Subject: Re: [Ethereal-dev] SMBpatch for read/write and x

 > On Wed, Nov 28, 2001 at 12:51:59PM +0000, Pia Sahlberg wrote:
 [snip]

 > > I assume this is some optimization, if dissecting in the tree under the
 > > protocol branch: proto_pipe, then ONLY check hf_index entries
 > > registred for proto_pipe and ignore anything else.
 >
 > But if I type in "smb" as a filter string (a good trick btw) I get
 > all smbs and all msrpc transactions.  By your reasoning above I should
 > only get the SMB transactions and not the msrpc ones?

 No, smb will find everything since SMB is part of the top tree.
 However, what I mean is that the tree looks like :
 ...
 SMB   ( created by  proto_tree_add_protocol(proto_smb) )
       smb-stuff  ( created by proto_tree_add_item() )
 PIPE   ( created by proto_tree_add_protocol(proto_pipe) )
       pipe-stuff  (created by proto_tree_add_item() )

 By searching for SMB you will find everything since SMB is the protocol
item
 at the first level in the tree.
 However, when dissecting the packets (say a ...->smb->pipe packet) and the
 dissector gets to dissect-smb-pipe()
 then it will do a proto_tree_add_protocol(proto_pipe) which causes the
 display filter matching stuff it to temporarely forget
 all about smb stuff, and only concentrate on hf_pipe_xxx
 (since we are now dissecting inside the proto_pipe protocol)

 I assume it is an optimization, when inside proto_X, only look at hf_X when
 matching display filters (we have quite a number of displayfilters now)
 Perhaps the displayfilter stuff should always scan ALL hf_variables (speed
 up smb which holds ~10% of them?)
 and be made to handle that?
 Say a fast and simple hash that produces values 0-255 (xor of all bytes in
 name is fast and simple) which gives us a table between0-255
 the table then stores pointers to binary trees, one tree per hash
 value.Store the display filter entries matching the hash in the
 corresponding
 tree.  Since these trees are static, we only build the trees when the
 application is starting, thus runtime is not really critical, thus we could
 also make sure that the trees are perfectly balanced for furter
 optimization.
 Then we change the display filter stuff to always look through ALL hf_x
 fields and not only a subset.
 Another thing to put in the TODO list for some unknown future...

 Have you tried my proposed workarund i described in the previous mail?

Follow-Ups:
- Re: Fw: [Ethereal-dev] SMBpatch for read/write and x
  - From: Gilbert Ramirez

Prev by Date: Re: [Ethereal-dev] SMBpatch for read/write and x
Next by Date: Re: Fw: [Ethereal-dev] SMBpatch for read/write and x
Previous by thread: Re: [Ethereal-dev] SMBpatch for read/write and x
Next by thread: Re: Fw: [Ethereal-dev] SMBpatch for read/write and x
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$