Ethereal-dev: [ethereal-dev] Some thoughts on higher layer protocol dissectors ...
Hi,
In thinking about issues relating to handling higher layer protocols, and
the oft-stated desire to, at some stage, provide a tcp dissector that can
assemble all the TCP segments and provide them in order to any protocols
sitting above TCP, I have come to the following realization.
We are building a packet analysis/decoder tool, not a TCP/IP implementation
protocol.
There are always going to be cases where segments are missing, perhaps
because they got lost, or perhaps because they made their way between the
communicating parties on a path that we have not been able to capture from.
That being the case, any protocol dissectors for protocols sitting on top
of TCP (or even UDP) had better not rely on being given all the segments in
sequence. They are going to be required to make a best effort dissection.
However, it would be interesting if we could merge two captures together
... Obviously, one could build a tool like editcap and have it merge two
captures into one by looking at the timestamps on the frames ... however,
it would good if this could be done by Ethereal as well ...
Regards
-------
Richard Sharpe, sharpe@xxxxxxxxxx
Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
Contributing author, SAMS Teach Yourself Samba in 24 Hours
Author, Special Edition, Using Samba
