Ethereal-dev: [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Wed, 27 Apr 2005 04:31:21 -0400
Maybe we should then change the proto registration code to allow
multiple new-style dissectors to register on the same port?
On 4/27/05, Martin Regner <martin.regner@xxxxxxxxx> wrote:
> Hi,
>
> Sigcomp dissector is already using the new dissector style and will only try
> to decode the UDP-packets where the first
> byte is
> matching a certain pattern:
>
> /* Code to actually dissect the packets */
> static int
> dissect_sigcomp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
> {
>
>
> :
> :
>
> /* Is this a SigComp message or not ? */
> octet = tvb_get_guint8(tvb, offset);
> if ((octet & 0xf8) != 0xf8)
> return 0;
>
> If this check fails then Ethereal will continue with the next dissector, but
> please note that there can currently only
> be one dissector
> for a certain port. That is the problem you are having. Your dissector tries
> to register for port number 6666 which
> SIGCOMP
> dissector has already registered.
>
> The ports that are used in SIGCOMP dissector are configurable from
> Edit/Preferences/Protocols /SIGCOMP.
> Currently the values 5555 and 6666 are used when Etheral is installed.
> You can change those values and save the configuration.
>
>
> ----- Original Message -----
> From: "Anders Broman (AL/EAB)" <anders.broman@xxxxxxxxxxxx>
> To: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>; "Ethereal development"
> <ethereal-dev@xxxxxxxxxxxx>
> Sent: Tuesday, April 26, 2005 12:22 PM
> Subject: RE: [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump
>
>
> Hi,
> I'll look at changing Sigcomp but I don't know when I'll have the time to do
> it.
> Best regards
> Anders
>
> -----Original Message-----
> From: ethereal-dev-bounces@xxxxxxxxxxxx
> [mailto:ethereal-dev-bounces@xxxxxxxxxxxx]On Behalf Of ronnie sahlberg
> Sent: den 26 april 2005 11:44
> To: Ethereal development
> Subject: [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump
>
>
> heur_dissector_add() is the right first step, but is only really
> appropriate if netdump does use other ports as well.
>
> If netdump is always using port 6666 which clashes with sigcomp then
> the real solution (==more work)
> would be to
> 1, change sigcomp to become a "new style" dissector (==one that
> returns a boolean and not void and which first checks "does this look
> this protocol? if not return 0 and let ethereal try the next possible
> match."
> 2, change netdump to also be a new style dissector.
>
> New style dissectors (all dissectors should eventually be changed to
> new-style since birthday effect and such makes these clashes more
> likely everytime we add a new dissector)
> use new_create_dissector_handle() instead of create_dissector_handle().
>
> Please see packet-xot.c for a small example of it. Notice that the
> main dissector returns 0 if it doesnt think it looks like xot!
>
>
> Both sigcomp and netdump needs to be changed to be new-style.
> Maybe Anders or someone else from the telco crowd can change sigcomp
> to the new style in preparations for netdump ?
>
> Anders?
>
>
> (im reluctant to touch that one myself since i dont use that protocol
> myself and am not familiar at all with it...)
>
>
>
> On 4/25/05, Eric Paris <eparis@xxxxxxxxxxxxxx> wrote:
> > Guess I'm supposed to give an svn diff, so here it is.
> >
> > Eric
> >
> > On Mon, 2005-04-25 at 14:10 -0400, Eric Paris wrote:
> > > Attached is a file packet-netdump.c which should dissect netdump
> > > packets. Netdump is the protocol used to send crash information like
> > > the stack and memory contents to a netdump server when a linux machine
> > > panics/opps.
> > >
> > > This is my first attempt at a dissector, so please let me have any
> > > comments on any problems you see.
> > >
> > > Netdump uses port UDP 6666 which is also defined by packet-sigcomp.c.
> I
> > > don't have any traces which result in parsing these type of packets so
> > > I'm not sure how to make sure it is still picking those up. I found
> > > that just registering port 6666 with dissector_add caused the sigcomp
> to
> > > still get tried and my netdump to never get tried. So I registered
> with
> > > heur_dissector_add and it started trying my dissector second. So I can
> > > only assume that it will get those others. I'm not sure what the
> right
> > > way is to do this. Please comment if this was not right or if there is
> > > a better way.
> > >
> > > I have a netdump capture with netdump traffic but its about 40 megs
> long
> > > (dumping memory does generate a lot of traffic), please let me know if
> > > access to this is needed.
> > >
> > > Eric
> > > _______________________________________________
> > > Ethereal-dev mailing list
> > > Ethereal-dev@xxxxxxxxxxxx
> > > http://www.ethereal.com/mailman/listinfo/ethereal-dev
> >
> >
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
- References:
- RE: [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump
- From: Anders Broman (AL/EAB)
- Re: [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump
- From: Martin Regner
- RE: [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump
- Prev by Date: [Ethereal-dev] Another MGCP update
- Next by Date: [Ethereal-dev] Re: BACnet Updates to APDU Part
- Previous by thread: Re: [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump
- Next by thread: Re: [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump
- Index(es):
