On 2011-12-18 14:17, Andriy Beregovenko wrote:
Hi,
Now i'm writing dissector for some kind of traffic. I'm already got
basic
knowledge in dissector writing, so first primitive version was
already done.
But now, when I try to complete fully featured version of dissector I
got
many trobles with routine. So I'm looking for good advice from
experienced
developers.
First of all, let me describe my traffic a little:
- most part of traffic is crypted(with rc4)+compressed(with mppc),
not
crypted is only few start frames;
- few start frames(or packets) have rc4 key inside itself;
So I do next. When I dissect traffic, i looking for first frames,
reads rc4
keys from it and put it into static variable, so all other
frames(packets)
now can be correct decrypted. But I need to decompress(with MPPC),
and here
I got my troubles, cause I can decompress only 'linearly' incoming
data
(this is MPPC specific feature), so I'm stuck here. Please, point me
to
right way to implement such type of dissector.
-- Best regards, Andriy 0xBDDBDAE3
Hi,
Two things to be aware of:
1. Using statics to store dissection related data (key material in your
case)
is bad style. Why? Image what happens when there are two streams in
your
capture. Which key are you going to store?
2. You have to be aware that Wireshark accesses frames in random order
all
all the time. Only the first pass is sequential.
Because of 1. there is the notion of 'conversations'. Per conversation
you
can store protocol related data (your key). Every time you are asked to
dissect a packet (remember, this can be in random order!), you have
access to
this stored data, in your conversation data.
Because of 2. you can setup your conversation data (your key) on the
first
pass (see PINFO_FD_VISITED macro) and use it later on.
Read through doc/README.developer for these subjects.
Thanks,
Jaap
