Wireshark · Ethereal-dev: Re: [Ethereal-dev] A couple of questions

Ethereal-dev: Re: [Ethereal-dev] A couple of questions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>

Date: Mon, 12 Dec 2005 07:32:18 +0100 (CET)

On Sun, 11 Dec 2005, fabio matturro wrote:

> Hello :- )
>
> 1) The protocol (PVM)I'm writing the plugin for defines a 32-bit identifier
> field:
>
>
> :
> +-------------------------------------------------------------------------+
> | S| G|         H           |              L                            |
> +-------------------------------------------------------------------------+
>
> H is a Host identifier.
> Now, I've defined a heuristic in order to recognize PVM packets. What I'd
> like to do is to improve it. That is because the heuristic can't recognize
> all PVM packets.
> This is due to the fact that the heuristic matches only a subset of
> identifiers (those identifying daemons excluding those identitying Tasks
> running on daemons).
> PVM provides task identifiers in some messages being exchanged by daemons.
> Now, the idea is to fetch these task identifiers, store them in a list and
> then issue a check (if TaskID !isin List) return FALSE; )
>
> But:
>
> a) How can I create a list the can be searched during the whole
> capture/dissection? (Something like GMemChunk?P.S. I still have to use it,
> then I don't know that it's exactly for ; - ) )
>
> b) Do you think it's a solid way of defining a heuristic? I don't because
> 'what If I start capturing after that Task-identifier-containing message has
> been released'?
>
> Maybe i'd better improve the static format-checking : )
>
> 2) What are conversations for? I've read they're useful both before capture
> and before filtering. But in what sense, exactly?
>

Hi,

Quite a story. It looks like you can use a conversation indeed. They idea
is the following. Datagrams are going back and forth between an IP:port an
another IP:port. Some of these datagrams can be identified as PVM
protocol. Now if the IP:port relation is static a conversation can be used
to dissect all these datagrams as PVM, irrespective of the heuristics.
As you noted you have to see a datagram which matches the heuristic before
the IP:port relation can be set. If you can't wait for that you either
have to create a stronger heurisitic or you could set a fixed port address
in the dissector preference.

Thanx,
Jaap

References:
- [Ethereal-dev] A couple of questions
  - From: fabio matturro

Prev by Date: [Ethereal-dev] Documentation on newstyle and heuristic dissectors?
Next by Date: [Ethereal-dev] Plugin development
Previous by thread: [Ethereal-dev] A couple of questions
Next by thread: [Ethereal-dev] Documentation on newstyle and heuristic dissectors?
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$