Wireshark-dev: Re: [Wireshark-dev] Dissector for Cisco ITP packet logging facility
From: Jeff Morriss <jeff.morriss@xxxxxxxxxxx>
Date: Tue, 06 Feb 2007 09:53:32 +0800

Hi Abhik,

Abhik Sarkar wrote:
Thanks for your help with this, for the explanation of the changes and
for including it in the code. I still have a lot to learn.

So did I, that's why it took me a while to rework your patch ;-)

I have just on concern... The Cisco allows the user to set the syslog
facility and severity when starting the debug. The values you saw were
the default values. Therefore, checking for LOCAL0/DEBUG only might
cause problems if the user chooses to select non-default values.
However, like you said, most syslog packets will not contain MSUs, so
it is important that we don't waste CPU cycles. I think it is best we
leave this check in, until someone complains :-)

Hmm, well, it's not really saving that much CPU time, but I also suspect that the vast majority of people will leave the default value there so hopefully it won't matter. As you said, if it does, we can always change it later. (The only problem with that is if someone doesn't even know the feature is there because it doesn't automatically show up: in that case they won't know that they could complain and have it changed.)

Anyway, we'll see...
-J

On 2/1/07, Jeff Morriss <jeff.morriss@xxxxxxxxxxx> wrote:

Abhik Sarkar wrote:
I have also been trying to find out a way to get the syslog dissector
to tells all subsequent dissectors that the byte array was generated
and not present in the actual capture and hence to mark their protocol
tree items using the PROTO_ITEM_SET_GENERATED macro, but have so far
been unsuccessful. Perhaps you have some ideas on this.
Thanks for the sample capture file.

I reworked the code and checked it in as rev 20665.  Here are some of
the changes (and in some cases why I made them) in case you're interested:

- put all the MSU functionality in a separate function in the syslog
dissector
- don't bother looking for the MSU unless the facility is LOCAL0 and the
level is DEBUG (since syslog messages for most of the world aren't going
to be from the ITP we can save some CPU time).  Please let me know if
you find that other facilities or levels are used by the ITP and I can
adjust it as necessary.
- don't use g_ascii_xdigit_value() as it's not available in Glib 1.2,
instead use Wireshark's internal convert_string_to_hex() routine
- call g_strfreev() on the result of g_strsplit() (the entire array
needs to be freed)
- don't use g_string_new() since gstrsplit() is already allocating new
space for the string(s)
- don't use ep_alloc_array() to allocate the backing data for the tvb
but rather use the g_malloc()'d result from convert_string_to_hex().
Use tvb_set_free_cb() to free the backing data whenever Wireshark feels
it's OK to free it.  I think that will be a different time than when the
ep_ memory would have been freed.
- don't make the syslog dissector waste its time filling in the Info
column if there's an MSU there (it would just be overwritten by MTP3 anyway)
- added a (marked as generated) boolean to the syslog tree that shows
that we found an SS7 MSU in the message.  That's about all that can be
done, I think.

Thanks for your contribution!

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev