Wireshark · Ethereal-dev: Re: [Ethereal-dev] Support for pure protocol packetswithout underlying protocol data

Ethereal-dev: Re: [Ethereal-dev] Support for pure protocol packetswithout underlying protocol

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Jeff Morriss <morriss@xxxxxxxxx>

Date: Mon, 07 Jul 2003 16:56:17 -0400


John McDermott wrote:

Richard Sharpe wrote:
No, I was thinking of how a tool like Ethereal would be able to figureout how to dissect the PDUs in a packet that simply contained SMB PDUs.
It seems that we have two alternatives:

  1. Unique protocol IDs for each and every protocol

  2. Some sort of path to the protocol.

Perhaps there are other approaches that I have not though of.
I think we should thrash this out some more, because it is worthwhileto get it [close-to] right.
I guess my first question is how would these get generated? Are youlooking at having a program spew them out for debugging? If you are notgoing to have some SMB and some NFS and some Telnet and some ... Couldwe not modify the "decode as" mechanism to just pass the PDUs on todissectors? What changes would we have to make in the wiretap/libpcaplayer?

In my case, yes, it's for debugging. In my case I get access to MTP2 orMTP3 and higher when I receive the message. There was never anyethernet, IP, or SCTP involved.

I don't particularly like the "Decode As" idea: I'd rather have thefiles self-describing (e.g., so if someone sends me a file that containsSCCP I don't want them to have to also tell me that it's SCCP--computersare supposed to make our lives easier, aren't they? ;-) ).

Just thinking out loud (and maybe talking out my whatever) isn't somesort of layer necessary to say, "here comes 150 bytes of SMB" so wecould get accurate packet boundries?

Good point. Especially since some protocols (MTP3) don't have lengthindicators in them... (MTP2 does but it's only 6 bits long: anythingover 63 octets in length has a length of "63".)

Another reason to have one DLT_ value and a "fake link" layer would beif we want to support multiple protocols in one file (e.g., an SCCPpacket followed by an MTP3 packet followed by another SCCP packet).

If you are debugging, couldn't you print out fake headers, too?

I had considered writing fake headers, but in my case there never wasany ethernet/IP/SCTP under the SS7 packets, so it feels really ugly tome. (What do I put for a source-IP address? 0.0.0.0? Blech...)

References:
- Re: [Ethereal-dev] Support for pure protocol packetswithout underlying protocol data
  - From: Richard Sharpe
- Re: [Ethereal-dev] Support for pure protocol packetswithout underlying protocol data
  - From: John McDermott

Prev by Date: Re: [Ethereal-dev] Can't open Sniffer trace
Next by Date: Re: [Ethereal-dev] Can't open Sniffer trace
Previous by thread: Re: [Ethereal-dev] Support for pure protocol packetswithout underlying protocol data
Next by thread: Re: [Ethereal-dev] Support for pure protocol packetswithout underlying protocol data
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$