Ethereal-dev: Re: [Ethereal-dev] dfilter-modifications and inclusion of lib_ethereal.so
man, 18,.07.2005 kl. 00.59 -0700, skrev Guy Harris:
> Håvard H Garnes wrote:
> > Hello. As part of mapi-development (mapi.uninett.no) I have made this
> > patch to ethereals dfilter to extract information from packets.
> >
> > Ths patch also includes lib_ethereal, which was developed as part of the
> > scampi-project (ist-scampi.org) to link an ethereal-library into mapi
> > for packet and protocol analysis.
>
> So what's the difference between libethereal, a library that's already
> built as part of Ethereal (although note that we do *NOT* yet guarantee
> that its API will not change in incompatible ways!) and lib_ethereal?
Unknown. I did not worite lib_ethereal. the original patch was written
for ethereal 0.9.16 - perhaps there was no libethereal at the time. I
don't know. I only adapted the original lib_ethereal-patch.
>
> > The new filter-addition is the keyword "return 'field'" which returns
> > the field-value in place of a gboolean from dfvm_apply.
>
> Do you have an example of how that would be used?
this could be used to do for example
return http.request.host
or
return mime_mulitpart.type
or
return ip.len
or almost any header or prootocol-information ethereal can handle.
Exactly what information is most relevant to extract I don't know, but I
would guess that things like ip.len and other numbers are the most
interesting fields to extract for analysis.
> "grammar.c" is generated from "grammar.lemon", so it's sufficient to
> supply a patch for "grammar.lemon".
oops. I realy knew that. I must have missed it when I cleaned the patch
up.
Håvard
