Jeff, thank you for you reply.
2011/4/29 Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>:
> Max wrote:
>>
>> For now I use "global" conversation state for dissection if the packet
>> has no proto data associated with it, otherwise I use state from
>> associated data which
>> stores the state before first packet dissection was done. Am I right
>> doing such things?
>
> Do you mean you try to use data from the stored conversation state (ala
> README.request_response_tracking) and if that does not exist then fall back
> to a global variable? I think normally the fallback to not having the
> conversation data is to just assume it's the first packet (decode it as such
> and then create a conversation structure). But maybe I misunderstand your
> question.
I do in the following way:
1) if no conversation data is associated with my proto, I assume that
it is the first packet.
2) if I have conversation data, but no proto data associated with the
packet, I use conversation data's phase to dissect the packet. if
dissection succeeds than I save old phase information into the
packet's proto data and update the conversation's phase.
3) if the packet has proto data, I use its phase to dissect the
packet. Conversation state is not updated in that case.
>
>> The next problem is decryption and decompression. I've read how this
>> should be done, but I have not found any info regarding the following
>> moments:
>>
>> 1) Whether decryption and decompression should be done every time the
>> dissector is called? Or there is way to figure out that it was already
>> done?
>
> I don't know how it's normally done, but I think the only way you'd know if
> it had already been done is if you stored the result of the decryption in a
> dissector-specific structure in a way that you can easily find it again. I
> suspect, though, that normally the decryption is redone each time it is
> needed.
I looked through SSL dissector. It decrypts packet only during first
dissection and keeps allocated buffer in packet's proto data. But the
child tvbuff is created every dissection for this buffer.
>
>> 2) How to run dissector on the decrypted tvbuff? Should it be done
>> manually or Wireshark does this itself?
>
> You need to do that manually: once you have the decrypted data in a (new)
> TVB you need to call a (sub)dissector on it.
Yep!
>> 3) If it is supposed that decryption is done every time the dissector
>> is called, how then should I keep the decryption cipher context?
>> Cloning and storing cipher context for every packet may cost a lot
>> of memory, and AFAIK libgcrypt doesn't provide any means
>> to clone the context (cipher handle).
>
> I can't even hazard a guess on this one...
Since the decryption is done only once, the problem is absent.
--
Max
