Wireshark · Ethereal-dev: Re: [Ethereal-dev] Misdissection from the diameter dissector

Ethereal-dev: Re: [Ethereal-dev] Misdissection from the diameter dissector

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Mon, 7 Oct 2002 15:47:32 -0700

On Tue, Sep 24, 2002 at 03:28:09PM +0200, Biot Olivier wrote:
> This very common situation could lead to a new Ethereal feature. When two
> possibilities exist, then both *should* be tested. Ulf's diameter<->rpc
> decode would result in:  diameter decoding does not work, thus try rpc
> (which by miracle works). If both fail, then the default information should
> be shown (last known protocol layer, typically TCP or UDP).
> 
> Any comments on this?

There is currently a mechanism by which a non-heuristic dissector can
say "this is not one of my packets"; that's the mechanism that would be
needed (i.e., a way for the Diameter dissector to specify that decoding
didn't work).

The dissector would have a handle created with
"new_register_dissector()" or "new_create_dissector_handle()"; a
new-style dissector currently returns an "int", which would either be:

	0, if the dissector rejects the packet;

	the number of bytes of packet data (normally, "tvb_length(tvb)")
	if the dissector accepts the packet;

	the negative of the number of additional bytes of data required,
	if this is running over a byte-stream protocol (e.g., TCP) and
	further data is required for reassembly.

However, currently the negative-number stuff doesn't do anything - and
I'm not sure it ever will, as "tcp_dissect_pdus()" may be the right way
to centralize the "running over a byte stream" stuff, at least for TCP -
and the 0 vs. number of bytes of packet data stuff is currently, in
effect, a Boolean, as the number of bytes of packet data isn't used (see
previous comment about TCP, although I guess it *could* be used
elsewhere).

So I haven't decided what the "right" API is; it may be that the "right"
API is to just have it return a Boolean.

Once the "right" API is determined, existing non-heuristic dissectors
should be converted, the old "register_dissector()" and
"create_dissector_handle()" routines and "dissector_t" type should
be removed, and "new_register_dissector()",
"new_create_dissector_handle()", and "new_dissector_t" should be renamed
"register_dissector()", "create_dissector_handle()", and "dissector_t".

There are a few dissectors that are "new-style" non-heuristic
dissectors; the Diameter dissector could be made another one.

Prev by Date: Re: [Ethereal-dev] Request for Change
Next by Date: Re: [Ethereal-dev] IPv6 Question
Previous by thread: Re: [Ethereal-dev] Request for Change
Next by thread: Re: [Ethereal-dev] Misdissection from the diameter dissector
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$