Ethereal-dev: [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Tue, 26 Apr 2005 05:44:29 -0400
heur_dissector_add() is the right first step,   but is only really
appropriate if netdump does use other ports as well.

If netdump is always using port 6666 which clashes with sigcomp then
the real solution (==more work)
would be to 
1, change sigcomp to become a "new style" dissector (==one that
returns a boolean and not void  and which first checks "does this look
this protocol? if not return 0 and let ethereal try the next possible
match."
2, change netdump to also be a new style dissector.

New style dissectors (all dissectors should eventually be changed to
new-style   since birthday effect and such makes these clashes more
likely everytime we add a new dissector)
use new_create_dissector_handle() instead of create_dissector_handle().

Please see packet-xot.c  for a small example of it.   Notice that the
main dissector returns 0 if it doesnt think it looks like xot!


Both sigcomp and netdump needs to be changed to be new-style.
Maybe Anders or someone else from the telco crowd can change sigcomp
to the new style in preparations for netdump ?

Anders?


(im reluctant to touch that one myself since i dont use that protocol
myself and am not familiar at all with it...)



On 4/25/05, Eric Paris <eparis@xxxxxxxxxxxxxx> wrote:
> Guess I'm supposed to give an svn diff, so here it is.
> 
> Eric
> 
> On Mon, 2005-04-25 at 14:10 -0400, Eric Paris wrote:
> > Attached is a file packet-netdump.c which should dissect netdump
> > packets.  Netdump is the protocol used to send crash information like
> > the stack and memory contents to a netdump server when a linux machine
> > panics/opps.  
> > 
> > This is my first attempt at a dissector, so please let me have any
> > comments on any problems you see.
> > 
> > Netdump uses port UDP 6666 which is also defined by packet-sigcomp.c.  I
> > don't have any traces which result in parsing these type of packets so
> > I'm not sure how to make sure it is still picking those up.  I found
> > that just registering port 6666 with dissector_add caused the sigcomp to
> > still get tried and my netdump to never get tried.  So I registered with
> > heur_dissector_add and it started trying my dissector second.  So I can
> > only assume that it will get those others.   I'm not sure what the right
> > way is to do this.  Please comment if this was not right or if there is
> > a better way.
> > 
> > I have a netdump capture with netdump traffic but its about 40 megs long
> > (dumping memory does generate a lot of traffic), please let me know if
> > access to this is needed.
> > 
> > Eric
> > _______________________________________________
> > Ethereal-dev mailing list
> > Ethereal-dev@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-dev
> 
>