Hello,
Thanks a lot for your answer.
Guy Harris a écrit :
> [...] In order for the dissector to do so:
>
> 1) it would need to know when it doesn't need it any more (and,
> in some cases, it might be hard for the dissector to
> determine that, as the first time it uses that information
> might not be the last time it uses it);
I noticed that TCP connect/disconnect packets (handshake and so on) are not
stamped in the tree as belonging to a given protocol. That is, if I do
"tethereal port ssh", I see TCP packets on port 22 with SYN and/or ACK flag
set, but they are not stamped as "SSH".
I know, they are not, technically, SSH packets. Those coming afterwards are,
and are dissected as such.
But are these pakets passed on to the dissector ? If yes, they can be used to
determine when connection is over and free memory. (is it already how it is
done ?). Of course there may be protocols which use different connections for
request and response and thus make this useless...
> 2) it would need to know whether it's running inside an
> application that allows packets to be re-visited (Ethereal,
> Zethereal, Packetyzer, etc.) or doesn't allow packets to be
> re-visited (Tethereal).
Isn't it possible to pass relevant arguments to GCC when compiling ?
For example, pass -DREVISIT when compiling ethereal, so the dissector can
include ethereal-specific code between #ifdef REVISIT / #endif ? And/or do
the same for tethereal with -DNOREVISIT ?
Of course that would require recompilation of (some, if not all) dissectors
between the builds of ethereal and tethereal... but with the speed of
computers today, is that really a problem ? How about two sets of dissectors,
those which need recompiling, and those which don't ?
Kindest regards,
Loïc
