Ethereal-dev: Re: [Ethereal-dev] The Thing - check in the files ?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Thu, 18 Nov 2004 08:43:35 +1100
On Wed, 17 Nov 2004 22:13:06 +0100, LEGO <luis.ontanon@xxxxxxxxx> wrote:
> Good, I like that, I'll get on that right now.
> 
> Just two questions,
> 
> Can I call the thing_tree() directly from the tap's _packet() against
> the tree in the edt structure?

Yes.
Just remember that the EDT  structure is pruned !    so in order for
it to retain and not prune away the fields you are interested in   you
must create a filter in the registration of the tap listener that
contains all those fields.

Else they will be pruned and no longer be in the EDT structure.


> or else how do I call the thing dissector after the tap has run?
> 
> Doing things that way could "the thing" become runtime linked a module?
> 
> Thanks,
> 
> Luis
> 
> On Thu, 18 Nov 2004 07:29:32 +1100, ronnie sahlberg
> 
> 
> <ronniesahlberg@xxxxxxxxx> wrote:
> > I think that it would be important/desireable to make the module less
> > intrusive, i.e. remove the need to patch any of the files such as
> > file.c  etc.
> >
> > My understanding is that you really only need to pull certain fields
> > from the packets into "Thing"?
> >
> > A better and much less intrusive way to do this is to use TAP to get the data.
> >
> > I think using TAP  in a way similar to how proto,colinfo works would
> > be suitable.
> >
> > See http://anonsvn.ethereal.com/viewcvs/viewcvs.py/trunk/tap-protocolinfo.c?rev=12335&view=auto
> > for how -z proto,colinfo,<field> is using tap.
> >
> > It registers a TAP listener for the frame tap (all packets)   then on
> > the filter string it specifies
> > a filter that contains all the fields we want to look at,
> > the _packet() part of the listener then just pulls the values out from
> > the edt structure passed to tap.
> >
> > The reason the fields must be part of the filter string is to
> > guarantee that the fields will not be pruned by ethereal and so that
> > they are guaranteed to still be in the pruned edt tree when the tap is
> > called.
> >
> >
> >
> >
> > On Wed, 17 Nov 2004 06:48:23 +0100, Martin Regner
> > <martin.regner@xxxxxxxxx> wrote:
> > >
> > > Ronnie Sahlberg wrote:
> > > > MATE :  Meta Analysis and Tracing Engine
> > > >
> > >
> > > PI: Packet Interceptor  (PDU Interceptor)
> > >
> > > _______________________________________________
> > >
> > >
> > > Ethereal-dev mailing list
> > > Ethereal-dev@xxxxxxxxxxxx
> > > http://www.ethereal.com/mailman/listinfo/ethereal-dev
> > >
> >
>