Wireshark-dev: Re: [Wireshark-dev] Wireshark-dev Digest, Vol 17, Issue 69
From: habib zainali g <habibz1366@xxxxxxxxxxx>
Date: Sat, 27 Oct 2007 10:26:32 +0400
> From: wireshark-dev-request@xxxxxxxxxxxxx > Subject: Wireshark-dev Digest, Vol 17, Issue 69 > To: wireshark-dev@xxxxxxxxxxxxx > Date: Wed, 24 Oct 2007 17:26:05 +0000 > > Send Wireshark-dev mailing list submissions to > wireshark-dev@xxxxxxxxxxxxx > > To subscribe or unsubscribe via the World Wide Web, visit > http://www.wireshark.org/mailman/listinfo/wireshark-dev > or, via email, send a message with subject or body 'help' to > wireshark-dev-request@xxxxxxxxxxxxx > > You can reach the person managing the list at > wireshark-dev-owner@xxxxxxxxxxxxx > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Wireshark-dev digest..." > > > Today's Topics: > > 1. Re: Protocol Parser Compiler (Luis EG Ontanon) > 2. Support for MGCP over TCP with ASCII TPKT header (Harmeet Sawhney) > 3. make in ./doc entered twice (Toralf Förster) > 4. Re: epan/.libs/libwireshark.so.0.0.1 is not in scope of make > ? (Toralf Förster) > 5. Wireshark Crashing (Diaconou, Alex) > 6. decoding Remote Desktop Protocol (DePriest, Jason R.) > 7. Re: decoding Remote Desktop Protocol (Stephen Fisher) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 24 Oct 2007 16:05:01 +0200 > From: "Luis EG Ontanon" <luis.ontanon@xxxxxxxxx> > Subject: Re: [Wireshark-dev] Protocol Parser Compiler > To: "Developer support list for Wireshark" > <wireshark-dev@xxxxxxxxxxxxx> > Message-ID: > <f20d86b70710240705l21dfedfbj799c79d38915f1b0@xxxxxxxxxxxxxx> > Content-Type: text/plain; charset=ISO-8859-1 > > IMHO BNF or the alike is not the way to go! > > BNF parser generators have few isues that make them unfit for protocol > dissectors the way we do them. I've started to write an ABNF-based LR > dissector generator but found many things that would make it unfit. > > take the following BNF: > > a ::= b c. > b := b b. > b ::= B. > c ::= C. > > let's say we got a packet containing BBBC (a mechanism, besides the > BNF, to define terminal symbols is needed). > > The code for the reduction of "B -> b", "b b -> b" and "C -> c" will > be evaluated before the code for reducing "b c -> a" is triggered. > That means that we'll have a call sequence like this: > > B -> b > B -> b > b b ->b > B -> b > b b -> b > C -> c > b c -> a > a -> $ > > > If we want to create a dissection tree from this call sequence we > would need to call reversed. The code for the reduction of the start > symbol (that should create the root of our tree) should be called > first but an LR parser is going to call it at last. > > We would have to evaluate the entire message (hoping that is complete > or else we will not be able to reduce the start symbol) creating > interim containers before being able to add anything to the tree, > which is cumbersome. > > This phenomenon shows up in the XML dissector (which is based on a bad > idea I had similar to that of a BNF generated parser) where in order > to avoid not being able to reduce the start symbol in case the message > is truncated, I wrote many grammars for many different elements > instead of a single grammar for the entire XML message and manage the > entire parsing with a separate stack of described. > Not only in order to be able to create the subtree before its children > the parser first creates a tree on its own then it does some callbacks > before pushing the subtrees and some others later on after popping > making the code unintelligible. It does not even do the whole thing > via the grammar! > > For generating dissectors for arbitrary protocols I would be looking > more into something more similar to lex than to yacc. That is: a > cursor based tool with an FSM. That means no not generating code from > a context free grammar (like BNF) but looking into a contextual > parser. > > <UDP> { > <START> src_pt = UINT(2,src.port) -> GET_DST. > <GET_DST> dst_pt = UINT(2,"dst.port") -> GET_LEN. > <GET_LEN> data_lenght = UINT(2,"len") -> GET_CHK. > <GET_CHK> UINT(2,"checksum") -> DATA. > <DATA> DISSECT_TABLE(,"udp.port",src_pt,data_len) || > DISSECT_TABLE(,"udp.port",dst_pt,data_len) || > CALL_DISSECTOR("data",data_len). > } > > This would allow to create the tree from the root (as we do) instead > of building it from the leafs and would allow also to parse truncated > messages which at least for me should be a a requirement for > dissectors. > > Luis > > On 10/23/07, Andrew Feren <acferen@xxxxxxxxx> wrote: > > > > --- Guy Harris <guy@xxxxxxxxxxxx> wrote: > > > > > Graham Bloice wrote: > > > > Might be interesting for some: > > > > > > > > binpac: A yacc for Writing Application Protocol Parsers > > > > http://lambda-the-ultimate.org/node/2496 > > > > > > Sebastien Tandel mentioned that back in May - I didn't get around to > > > replying back then; thanks for reminding me of this and getting me to > > > reply. Apologies to Sebastien for not replying then.... > > > > > > Yes, something such as this would, I suspect, be a Very Good Thing. > > > > [ snip ] > > > > I'm looking at binpac for other reasons, but would be interested in using it > > to generate Wireshark dissectors too. > > > > I do, however, have one question before I head too far down this path. How > > do people feel about introducing C++ to Wireshark? I ask because binpac > > currently generates C++ code. > > > > I can use binpac as it stands to generate dissectors, but adding a C backend > > to binpac is out of scope for me at this time. > > > > -Andrew > > > > > > -Andrew Feren > > acferen@xxxxxxxxx > > _______________________________________________ > > Wireshark-dev mailing list > > Wireshark-dev@xxxxxxxxxxxxx > > http://www.wireshark.org/mailman/listinfo/wireshark-dev > > > > > -- > This information is top security. When you have read it, destroy yourself. > -- Marshall McLuhan > > > ------------------------------ > > Message: 2 > Date: Wed, 24 Oct 2007 14:21:45 +0530 > From: Harmeet Sawhney <harmeet.sawhney@xxxxxxx> > Subject: [Wireshark-dev] Support for MGCP over TCP with ASCII TPKT > header > To: wireshark-dev@xxxxxxxxxxxxx > Cc: harmeet.sawhney@xxxxxxx > Message-ID: > <OFFFC74D38.5C130EF6-ON6525737E.0030AF16-6525737E.0030AF27@xxxxxxx> > Content-Type: text/plain; charset="us-ascii" > > > Hi, > I need to submit my changes for a bug (ID: 1856) to support MGCP over TCP > with ASCII TPKT header. I had tested changes for bug on 0.99.5 version of > wireshark. > Now, I need to incoporate the patch in future releases of wireshark. Please > let me know in which source code version of wireshark, I should merge > changes for bug 1856 and then submit changes as a patch so that they can be > incorported in future releases of wireshark. > > Regards, > Harmeet Singh Sawhney > Tata Consultancy Services > TCS Towers, 249 D&E Udyog Vihar, > Phase IV, Gurgaon > Gurgaon,Haryana > India > Mailto: harmeet.sawhney@xxxxxxx > Website: http://www.tcs.com > ____________________________________________ > Experience certainty. IT Services > Business Solutions > Outsourcing > ____________________________________________ > =====-----=====-----===== > Notice: The information contained in this e-mail > message and/or attachments to it may contain > confidential or privileged information. If you are > not the intended recipient, any dissemination, use, > review, distribution, printing or copying of the > information contained in this e-mail message > and/or attachments to it are strictly prohibited. If > you have received this communication in error, > please notify us by reply e-mail or telephone and > immediately and permanently delete the message > and any attachments. Thank you > > > > > ------------------------------ > > Message: 3 > Date: Wed, 24 Oct 2007 13:34:11 +0200 > From: Toralf Förster <toralf.foerster@xxxxxx> > Subject: [Wireshark-dev] make in ./doc entered twice > To: wireshark-dev@xxxxxxxxxxxxx > Message-ID: <200710241334.12342.toralf.foerster@xxxxxx> > Content-Type: text/plain; charset="iso-8859-15" > > I observe the following since some svn revissions: > > ... > creating wireshark > creating editcap > (cd doc ; \ > make ../wireshark-filter.4 ) > (cd doc ; \ > make ../wireshark-filter.html ) > make[3]: Entering directory `/home/tfoerste/devel/wireshark/trunk/doc' > WIRESHARK_RUN_FROM_BUILD_DIRECTORY=1 ../tshark -G fields | /usr/bin/perl ./dfilter2pod.pl ./wireshark-filter.pod.template > wireshark-filter.pod > make[3]: Entering directory `/home/tfoerste/devel/wireshark/trunk/doc' > WIRESHARK_RUN_FROM_BUILD_DIRECTORY=1 ../tshark -G fields | /usr/bin/perl ./dfilter2pod.pl ./wireshark-filter.pod.template > wireshark-filter.pod > /usr/bin/pod2html \ > --title="wireshark-filter - The Wireshark Network Analyzer 0.99.7" \ > --noindex \ > wireshark-filter.pod > ../wireshark-filter.html > /usr/bin/pod2man \ > --section=4 \ > --center="The Wireshark Network Analyzer" \ > --release=0.99.7 \ > wireshark-filter.pod > ../wireshark-filter.4 > make[3]: Leaving directory `/home/tfoerste/devel/wireshark/trunk/doc' > make[3]: Leaving directory `/home/tfoerste/devel/wireshark/trunk/doc' > > > > -- > MfG/Sincerely > > Toralf Förster > pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3 > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 189 bytes > Desc: This is a digitally signed message part. > Url : http://www.wireshark.org/lists/wireshark-dev/attachments/20071024/3143fe1d/attachment.pgp > > ------------------------------ > > Message: 4 > Date: Wed, 24 Oct 2007 13:40:39 +0200 > From: Toralf Förster <toralf.foerster@xxxxxx> > Subject: Re: [Wireshark-dev] epan/.libs/libwireshark.so.0.0.1 is not > in scope of make ? > To: wireshark-dev@xxxxxxxxxxxxx > Message-ID: <200710241340.39799.toralf.foerster@xxxxxx> > Content-Type: text/plain; charset="iso-8859-15" > > I opened bug http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1936 :-) > > -- > MfG/Sincerely > > Toralf Förster > pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3 > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 189 bytes > Desc: This is a digitally signed message part. > Url : http://www.wireshark.org/lists/wireshark-dev/attachments/20071024/08632e4e/attachment.pgp > > ------------------------------ > > Message: 5 > Date: Wed, 24 Oct 2007 10:19:37 -0600 > From: "Diaconou, Alex" <alex.diaconou@xxxxxxxx> > Subject: [Wireshark-dev] Wireshark Crashing > To: wireshark-dev@xxxxxxxxxxxxx > Message-ID: > <32A0C17D9C21F84886D0BEDEB6A529BB02686698@xxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset="utf-8" > > When I try to capture (select the 'Interfaces' or 'Options' menu items > under Capture menu), Wireshark crashes. I downloaded the newest Winpcap > dpack and put it in the wireshark libs and rebuilt, but that did not > work. I have an auto-installed version of Wireshark on my system which > works fine. What is the reason for this crash? (memory reference > error). > > > > Thanks > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.wireshark.org/lists/wireshark-dev/attachments/20071024/c0c39426/attachment.htm > > ------------------------------ > > Message: 6 > Date: Wed, 24 Oct 2007 11:39:15 -0500 > From: "DePriest, Jason R." <jrdepriest@xxxxxxxxx> > Subject: [Wireshark-dev] decoding Remote Desktop Protocol > To: wireshark-dev@xxxxxxxxxxxxx > Message-ID: > <31b7d2790710240939x39154505yd160ec9beb5a17b1@xxxxxxxxxxxxxx> > Content-Type: text/plain; charset=ISO-8859-1 > > After Tenable announced that they are going to have operating system > detection based on Remote Desktop fingerprinting available to Direct > Feed customers (http://blog.tenablesecurity.com/2007/10/windows-operati.html), > I thought it would be great to figure out how they are doing that. > > Unfortunately, I can't seem to locate any good technical documentation > on how RDP does what it does. > > I considered looking at the linux programs that use it (rdesktop) and > trying to read their code, but I don't write code myself so it would > be hit or miss. > > RDP is Microsoft's baby and I don't know where to look for in depth docs on it. > > Does anyone have a link or two to some helpful stuff that would help > me break the code? Or will I just need to figure it the hard way? > > Thanks! > > -Jason > > -- > NOTICE: This email is being sent in clear-text across the public > Internet. Therefore, any attempts to include unenforceable legalese > restrictions are ridiculous and pointless. If you can read this, > consider yourself authorized (whether I like it or not). > > > ------------------------------ > > Message: 7 > Date: Wed, 24 Oct 2007 11:26:01 -0600 > From: Stephen Fisher <stephentfisher@xxxxxxxxx> > Subject: Re: [Wireshark-dev] decoding Remote Desktop Protocol > To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx> > Message-ID: <20071024172601.GA17898@shadow.local> > Content-Type: text/plain; charset=us-ascii > > On Wed, Oct 24, 2007 at 11:39:15AM -0500, DePriest, Jason R. wrote: > > > Unfortunately, I can't seem to locate any good technical documentation > > on how RDP does what it does. > > > > I considered looking at the linux programs that use it (rdesktop) and > > trying to read their code, but I don't write code myself so it would > > be hit or miss. > > > > RDP is Microsoft's baby and I don't know where to look for in depth > > docs on it. > > > > Does anyone have a link or two to some helpful stuff that would help > > me break the code? Or will I just need to figure it the hard way? > > There is little to no public documentation on Remote Desktop. I wanted > to implement RDP dissection in Wireshark a while back and gave up (I had > just finished off the VNC dissector which was a pain even with > documentation). Your best bet is to read the source code to rdesktop > (which is poorly documented if I remember correctly) and the articles > under the "Documentation" section of www.rdesktop.org. It is a shame > they did not document the protocol(s) in a nice fashion while writing > the code to rdesktop. I do not mean to discourage you or anyone from > trying to figure it out as it would be a great feature to have in > Wireshark. I would be willing to help if someone could figure out at > least enough to get started :) > > > Steve > > > ------------------------------ > > _______________________________________________ > Wireshark-dev mailing list > Wireshark-dev@xxxxxxxxxxxxx > http://www.wireshark.org/mailman/listinfo/wireshark-dev > > > End of Wireshark-dev Digest, Vol 17, Issue 69 > ********************************************* Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! Try it! |
- Prev by Date: Re: [Wireshark-dev] wireshark (0.99.6) on openbsd 4.1 i386
- Next by Date: [Wireshark-dev] problem in make wireshark 0.99.6 under debian 4.0 r1
- Previous by thread: [Wireshark-dev] Can epan/xmlstub be removed now
- Next by thread: [Wireshark-dev] problem in make wireshark 0.99.6 under debian 4.0 r1
- Index(es):