The PDML is basically a 1-to-1 mapping of the internal data structure
that Ethereal uses to store the parse data (a proto_tree data
structure). There's no way to make it easier to understand without
modifying that basic structure (the proto_tree), because all the
knowledge about the protocol and fields is in that proto_tree.
My suggestion is to always try parse information from true ethereal
fields, which are the "field" elements that have a "name" attribute.
Protocol dissectors like to make the information prettier by adding
arbitrary text to the proto_tree... that is encoded in the PDML with
the "show" or "showname" attributes. But if you can use ethereal's
display filter language to filter on the field you need, you should be
able to retrieve that data from the PDML.
I would expect every "true field" (a "field" attribute with a "name"
attribute) to have a "value" element also. I would recommend using
that value element and forget about trying to parse text in the "show"
or "showname" elements.
If you the info you need is not available in the "value" element, then
we could possibly modify the TCP dissector to provide it.
--gilbert
On 2/8/06, Martin d'Anjou <mdanjou@xxxxxxxxxxxx> wrote:
> Hello,
>
> I am trying to parse the PDML XML file to extract a list of TCP options.
> Below is a copy of what I captured. I have edited to make it narrower but
> all relevant fields to this enhancement request are still there. So here
> is an excerpt of my capture:
>
> <field show="Options: (24 bytes)" size="24" pos="54" ... >
> <field name="tcp.options.mss" showname="TCP MSS Option: True" hide="yes"
> .../>
> <field name="tcp.options.mss_val" showname="Maximum segment size: 1460
> bytes" .../>
> <field show="NOP" size="1" pos="58" value="01"/>
> <field show="NOP" size="1" pos="59" value="01"/>
> <field show="SACK permitted" size="2" pos="60" value="0402"/>
> <field show="NOP" size="1" pos="62" value="01"/>
> <field name="tcp.options.wscale" showname="TCP Window Scale Option:
> True".../>
> <field name="tcp.options.wscale_val" showname="Window scale: 0 .../>
> <field show="NOP" size="1" pos="66" value="01"/>
> <field show="NOP" size="1" pos="67" value="01"/>
> <field name="tcp.options.time_stamp" showname="TCP Time Stamp
> Option:True"../>
> <field show="Time stamp: tsval 924985617, tsecr 517379013".../>
> </field>
>
> I would like to be able to parse this and print out the list of TCP
> options. But parsing it is unnecessarily complicated by the fact that
> everything is called "field", and that the attributes do not consistently
> identify the option type. As you can see, sometimes the option name is in
> the name attribute, sometimes in the show attribute, sometimes in the
> showname attribute. This is not very easy to parse.
>
> Thank you for a great software.
> Martin
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
>
