Ethereal-dev: Re: [Ethereal-dev] Heuristic Dissectors for Serial Protocols Encapsulated in TCP
Neal Winblad wrote:
Gentlemen,
We would like to use Ethereal to look at not only Ethernet traffic but
also various serial protocols which we will ship over Ethernet,
encapsulated in TCP packets. We would like to write dissectors for
these various protocols (e.g. Pan-Tilt-Zoom CCTV control, NTCIP
variable message highway signs, RTMS radar detectors, etc.). Since
these protocols were intended for direct serial connections they
typically have no identification in the header as to what protocol
these devices are speaking. We plan to use terminal servers
manufactured by Digi International to translate from Ethernet network
to serial port data. Digi has a protocol called Realport that runs on
top of TCP and would have a TCP port number that would correspond to
which serial port on the Digi box the serial signal it be routed to.
Knowing that a particular protocol is being spoken on a given port of
a given terminal server, we could presumably write a dissector that
would know that at this given port # and IP address a given protocol
is being spoken. Trouble is, there might be a couple dozen other
addresses/ports also talking this same protocol. And, on the next
project the addresses and ports will likely change. Is there a
configuration file that could be filled in on a project by project
basis that would do this mapping?
Like some other protocol dissectors, you could write a dissector named
Digi which could have a set of some preference settings like Port1
[number] Protocol1 [protocol] Port2 [number] ...
So your users can select let's say Port1 to be 14121 with the Protocol2
Pan-Tilt-Zoom and so on for Port2, Port3, ...
If I do understand you correct, these settings won't change very often,
so this might be a usable way to go.
Or, we could put some protocol identifying characters in front of the
Start-of-Header characters in the serial protocol that would allow a
heuristic dissector to be able to identify them. Trouble here is that
some of these serial protocols can’t afford the latency hit of these
extra padding characters (e.g. Pan-Tilt-Zoom control can get sluggish
and overshoot the scene you want to move the camera to). Can we add
these identifier padding characters one time and Ethereal will learn
what protocol is on what port/IP and then remember it for future packets?
Some dissectors currently do it that way, but usually on a
packet-by-packet basis only, looking at traffic content from/to
well-known ports.
If so, will it remember this configuration information or would we
have to send them again every time Ethereal is opened up?
It's currently not possible to have such settings saved at runtime for
usage in the next Ethereal run.
Looking for your ideas on how to best accomplish this objective.
Hope this helped a bit,
Regards, ULFL
