Wireshark · Ethereal-dev: Re: [Ethereal-dev] Referenceing data at specific stream position

Ethereal-dev: Re: [Ethereal-dev] Referenceing data at specific stream position

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Sat, 16 Apr 2005 17:21:18 -0700

(Please don't send messages by following up to unrelated messages - thatcauses mail readers that do threading to include the message in thethread with the unrelated messages.)


Helge Kruse wrote:

In a stream dissector I have a query response scheme. The client sends a
query, containing an identificator. The server answers with a response that
has this identificator.

To dissect this protocol I need the query at a response time. I can build a
collection with all queries in the dissector. But this seems to be a bad
design. I would have to store ca. 50% of the data in a copy at the
dissector.

So you need about half the data from the query to dissect the response(e.g., a query contains a key and a list of identifiers for values, andthe response contains the values corresponding to those identifiers forthe record corresponding to the key)?

So I want  to remember the position in the "stream" where the query is sent.
When I dissect the response, I want to lookup the tvbuff containing the
query.

Is there any concept for this task?

Is there any concept of "look up the tvbuff containing the query"? No.Tvbuffs don't persist after Ethereal or Tethereal finishes with apacket. (If they did, you'd be storing *100%* of the data from thequery, *and* all the protocol headers before that data.)

There's also no notion of reading data for an earlier packet "on demand"- with the current implementation of reading compressed capture files,that would work *very* badly, as moving backwards in the capture file isdone by going to the beginning and reading forward. We should fix thatat some point.

Another question regards the user interface. Can I add to the context menu a
"goto query" or "goto response" item, that would navigate to that frame?

You can add to the protocol tree an item of type FT_FRAMENUM and a valueequal to the frame number of the matching query/response. (Youobviously can't do that for the response frame on the first pass throughthe capture, but you could do that when the packet is selected andre-dissected, as long as you have a data structure that remembers thoseframe numbers.)

There already exist context menu items that, when you're over anFT_FRAMENUM field, will take you to the frame in question.

References:
- [Ethereal-dev] Referenceing data at specific stream position
  - From: Helge Kruse

Prev by Date: [Ethereal-dev] buildbot failure in Solaris 8 (SPARC)
Next by Date: [Ethereal-dev] Buildbot crash output
Previous by thread: [Ethereal-dev] Referenceing data at specific stream position
Next by thread: [Ethereal-dev] Buildbot crash output
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$