Hi all
I am developing a binary traffic anonymizer for NFS.
I'll be getting traces from a file, anonymizing the
packets/segments and dumping to another output file.
One of the main tasks while anonymizing the traces is to handle the
RPC-over-TCP message fragmentation and re-assembly. To handle this, I
was thinking of writing a dissector that would run as part of tshark and
use the tshark/wireshark infrastructure(..mainly tcp_dissect_pdus(..))
to re-assemble fragmented and segmented NFS traffic, anonymize them and
dump them into an output file.
I was wondering if I could get some more info about wireshark regarding
this idea.
1. Is this possible at all? I've looked at some code in tshark and it
seems doable.
2. I intend to override/replace the built-in RPC-over-TCP dissector with
my dissector/anonymizer. I'd really like to know if there's a better way
to go about this with tshark?
3. After anonymizing the re-assembled tvbuff_ts, I need to dump these
into a file. At the same time I need to preserve the
segmentation/fragmentation structure from the original trace while
dumping. Is there code in wireshark/tshark that can segment or fragment
a re-assembled tvbuff_t back into its original form?
Thanks in advance!
Shehjar
