Ethereal-dev: Re: [Ethereal-dev] How to start the desegmenting process

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Fri, 2 May 2003 18:23:14 -0700
On Fri, May 02, 2003 at 10:51:05PM +0200, Matthijs Melchior wrote:
> There is one problem left. All my test cases start correctly with
> a top level pdu. I cannot expect that to happen when I look at a
> live data stream. I will need some way to give ethereal a hint as
> to where in the first packet of a capture it is reasonable to start
> parsing.

Ronnie Sahlberg added some stuff that might at least partially allow
that, and might be the basis for code to allow more of it.

If the dissector isn't heuristic, but could scan through a TCP segment
and decide where in that segment a packet for its protocol begins, that
would probably be fairly straightforward to handle (and Ronnie's changes
might already allow that).

For heuristic dissectors it's a bit more complicated, at least if you
have more than one heuristic dissector in the dissector table, as it
raises the question of whether it would be done by:

	heuristic dissector 1 scans the TCP segment looking for one of
	its packets;

	if it doesn't find one, heuristic dissector 2 scans the TCP
	segment;

	etc.

or

	heuristic dissector 1 is asked whether one of its packets begins
	at the beginning of the segment;

	if not, heuristic dissector 2 is asked;

	...

	if not, heuristic dissector 1 is asked whether one of its
	packets begins one byte after the beginning of the segment;

	if not, heuristic dissector 2 is asked;

	...

	if not, heuristic dissector 1 is asked whether one of its
	packets begins 2 bytes after the the beginning of the segment;

	etc..

The latter might be more likely to get the right answer in most cases.