Wireshark mailing list archives
Re: Dissector for stream data
From: Jaap Keuter <jaap.keuter () xs4all nl>
Date: Mon, 19 Dec 2011 15:42:05 +0100
On 2011-12-18 14:17, Andriy Beregovenko wrote:
Hi,Now i'm writing dissector for some kind of traffic. I'm already got basic knowledge in dissector writing, so first primitive version was already done. But now, when I try to complete fully featured version of dissector I got many trobles with routine. So I'm looking for good advice from experienceddevelopers. First of all, let me describe my traffic a little:- most part of traffic is crypted(with rc4)+compressed(with mppc), notcrypted is only few start frames; - few start frames(or packets) have rc4 key inside itself;So I do next. When I dissect traffic, i looking for first frames, reads rc4 keys from it and put it into static variable, so all other frames(packets) now can be correct decrypted. But I need to decompress(with MPPC), and here I got my troubles, cause I can decompress only 'linearly' incoming data (this is MPPC specific feature), so I'm stuck here. Please, point me toright way to implement such type of dissector. -- Best regards, Andriy 0xBDDBDAE3
Hi, Two things to be aware of:1. Using statics to store dissection related data (key material in your case) is bad style. Why? Image what happens when there are two streams in your
capture. Which key are you going to store?2. You have to be aware that Wireshark accesses frames in random order all
all the time. Only the first pass is sequential.Because of 1. there is the notion of 'conversations'. Per conversation you
can store protocol related data (your key). Every time you are asked todissect a packet (remember, this can be in random order!), you have access to
this stored data, in your conversation data.Because of 2. you can setup your conversation data (your key) on the first
pass (see PINFO_FD_VISITED macro) and use it later on. Read through doc/README.developer for these subjects. Thanks, Jaap ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Dissector for stream data Andriy Beregovenko (Dec 18)
- Re: Dissector for stream data Jaap Keuter (Dec 19)
- Re: Dissector for stream data Andriy Beregovenko (Dec 19)
- Re: Dissector for stream data Andriy Beregovenko (Dec 24)
- Re: Dissector for stream data Andreas (Dec 24)
- Re: Dissector for stream data Andriy Beregovenko (Dec 25)
- Re: Dissector for stream data Guy Harris (Dec 25)
- Re: Dissector for stream data Guy Harris (Dec 25)
- Re: Dissector for stream data Andriy Beregovenko (Dec 25)
- Re: Dissector for stream data Jaap Keuter (Dec 19)