Wireshark · Ethereal-dev: Re: [ethereal-dev] conversation wildcard entry

Ethereal-dev: Re: [ethereal-dev] conversation wildcard entry

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Frank Singleton <frank.singleton@xxxxxxxxxxxx>

Date: Tue, 26 Sep 2000 15:06:27 -0500

Jeff Foster wrote:
> 
> Per - Frank Singleton
> 
> > Perhaps there is another way, but what I want is
> > something like..
> >
> > c = conversation_new( &pi.src, &pi.dst, PT_TCP,dyn_port, &anyport,
> > NULL);
> >
<snip>
> >
> > ie: any packet from port "dyn_port" on my local
> > machine to "anyport" on a remote machine
> > should be a conversation.
> >
> > I took a look at the converstaion code and it apppears
> > to check both ports.
> 
> You are correct, the conversation code is setup to handle traffic
> from/to a pair of hosts and ports, it doesn't do what you want.

<snip>

It would be nice to be able to specify
> the protocol based upon an address and port, sort of a 'one sided
> conversation' (monologue?).  This is what Frank is looking for.
> 
> The basic idea is to create a conversation with either source or
> destination values set to null.  For example, set the destination to
> null.  During the conversation lookup routine check for a full
> conversation, match both source and destination. Then check for a
> 'one sided conversation' by testing both source and destination
> as the destination value with the source set to null.  The fits into
> the current conversation code and shouldn't impose to much overhead
> during the conversation lookup.
> 
> Long term, users could use this feature to define the protocol for
> non-standard ports on their servers and ethereal would correctly
> dissect the traffic.
> 
> Jeff Foster
> jfoste@xxxxxxxxxxxx


Yep, this is what I am after.

The ability to create and check for conversations that
can use wildcard entries for address/port 

c = conversation_new( &pi.src, ANY_ADDRESS, PT_TCP,dyn_port,
ANY_PORT,NULL);

or 

c = conversation_new( &pi.src, &pi.dst , PT_TCP, ANY_PORT,
dyn_port,NULL);

etc..

You can treat an ANY_XXX parameter as always a match 
with its counterpart, inside conversation.c

Cheers / Frank..

-- 
EUS/SV/Z Frank Singleton      ASO Americas BSS
Office : +1 972 583 3251      ECN 800 33251  
Pager  : +1 800 651 1184      Email : eusfrsi@xxxxxxxxxxxxxxx 
Amateur Radio: VK3FCS/KM5WS   Email : frank.singleton@xxxxxxxxxxxx

Hardware: HP Omnibook 4150 running Redhat Linux 6.2 (2.2.16 kernel).

References:
- RE: [ethereal-dev] conversation wildcard entry
  - From: Jeff Foster

Prev by Date: [ethereal-dev] Data display bug.
Next by Date: [ethereal-dev] spanning multiple packets
Previous by thread: RE: [ethereal-dev] conversation wildcard entry
Next by thread: Re: [ethereal-dev] conversation wildcard entry
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$