Wireshark · Ethereal-dev: [Ethereal-dev] X11 dissector for server events

Ethereal-dev: [Ethereal-dev] X11 dissector for server events

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Roberto Zunino <zunino@xxxxxxxxxxxxxxx>

Date: Wed, 26 Sep 2001 17:21:14 +0200 (CEST)

Hi all,

I noticed that the current X11 dissector works quite well for requests
(from client to server) but doesn't dissect events (vice versa), so I
started modifying it to dissect (guess what) X11 events, errors & Co. .

The current code I have works well but needs some cleanup (from coding
style to renaming of some vars, etc.), therefore it isn't 100% ready: if
you want to see it, it's at

http://www.cli.di.unipi.it/~zunino/ethereal/packet-x11.c
http://www.cli.di.unipi.it/~zunino/ethereal/x11-fields

I'm ready to accept suggestions, of course.

Current status:

1) Event dissecting: 99% done, needs code cleanup.
2) Error dissecting: as above
3) Reply dissecting: 5% done, see below.

4) Desegmenting: 0% done (I'm not going doing it in the near time, maybe
later (maybe!))

A couple of questions:

1) The current code tries to guess the endianness of the packet using some
heuristic rules. That would be unnecessary if the dissector could read (or
maybe remember) the first non-empty segment from client to server (where
the client tells the server the endianness that will be used for all the
data stream). Is there any way to do it? This is related to question 2.

[Yes, the guessing code could be still useful if the first segment has not
been captured...]

2) X11 replies (server->client) cannot be really dissected unless the
dissector can read (or remember) the matching request (client->server).
The matching request is up on the TCP stream. Any ideas?

I thought to keep a cache of these data: i.e.

the dissector gets called for the first packet ->
	endianness[tcp_connection_id]=get_end(packet)
the dissector gets called for a request ->
	insert(pending_reqs, tcp_connection_id, req_type, req_serial)
the dissector gets called for a reply ->
	extract(pending_reqs, rev(tcp_connection_id), req_serial) => req_type

[sorry for being such verbose]

The problem is that the packets could be out of order on the wire: in that
case the cache would be useless.

Is there an "easy" way to solve this? Maybe exploiting the support for
desegmentation of TCP?

TIA, and thank you for this great network analyzer!

Zun.

Follow-Ups:
- Re: [Ethereal-dev] X11 dissector for server events
  - From: Guy Harris

Prev by Date: [Ethereal-dev] patch for packet-ip.c
Next by Date: [Ethereal-dev] Character field-values
Previous by thread: Re: [Ethereal-dev] patch for packet-ip.c
Next by thread: Re: [Ethereal-dev] X11 dissector for server events
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$