Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SCTP De-chunking support

From: vineeth vijay <vineethvijaysv () gmail com>
Date: Fri, 11 Jan 2013 02:14:52 +0530
Hi,

Yes, highlighting would work too. Ultimately the application info
corresponding to display filter should be visible easily without the need
to scroll through the entire frame. Any suggestions on how to achieve this?
I think GUI coloring implementation would paint the entire frame with the
same color,wouldn't it?

Vineeth

On Fri, Jan 11, 2013 at 1:44 AM, Michael Tuexen <
Michael.Tuexen () lurchi franken de> wrote:



On Jan 10, 2013, at 8:49 PM, vineeth vijay wrote:


Hi,


Dissection is fine. What I was wondering is whether it is possible to

show these individual data chunks as separate frames themselves.

But they are in the same frame. I really prefer not to show them in a

way they

have not been on the wire.

Basically agreed on the above point.  Changing the default behavior may

not be good due to all the copied lower layer bytes and resulting increase
in the size of capture in case there are 4-5 chunks per packet. But still
feel it would be a nice optional feature to have when doing actual offline
analysis.
I do understand that it is sometimes hard to find the application layer
packet when using display
filters and there are multiple application layer packets bundled in a
single frame. I also have
traces with a large number of bundled chunks.



Hence, when i apply display filter ,  only the chunks with  exact

matches should be visible. Is this supported currently?

No. Filtering is based on packets. Not sure how to improve that. We

can't show 'half' of a packet.

However, there might be ways to draw your attention to the upper layer

packet which matches the

filter.
Regarding above point, would like to suggest that the packet information

being displayed can be restricted to the PDU which actually matches the
display filter. E.g out of an SCTP packet carrying 3-4 M3UA chunks, the
pinfo of only the  chunk matching the filter can be displayed?
Thinking about this... What about displaying only the frames, which match
a display filter (like today).
However, it might be helpful to highlight that part (like the M3UA packet)
which matches the display filter.
This should allow to find the upper layer packet pretty fast. What do you
think?

Best regards
Michael


Vineeth

On Fri, Jan 11, 2013 at 12:54 AM, Michael Tuexen <

Michael.Tuexen () lurchi franken de> wrote:

On Jan 10, 2013, at 5:31 PM, vineeth vijay wrote:


Hi,

Dissection is fine. What I was wondering is whether it is possible to

show these individual data chunks as separate frames themselves.

But they are in the same frame. I really prefer not to show them in a

way they

have not been on the wire.

Hence, when i apply display filter ,  only the chunks with  exact

matches should be visible. Is this supported currently?

No. Filtering is based on packets. Not sure how to improve that. We

can't show 'half' of a packet.

However, there might be ways to draw your attention to the upper layer

packet which matches the

filter.

Best regards
Michael

Currently , i use the below tool for this purpose:
http://frox25.no-ip.org/~mtve/wiki/SctpDechunk.html

Regards,
Vineeth

what problem are you trying to solve? Wireshark supports dissecting

the upper layer paylaod

for bundled DATA chunks for ages...

Best regards
Michael


Vineeth


___________________________________________________________________________

Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org



Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org

?subject=unsubscribe




___________________________________________________________________________

Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org

?subject=unsubscribe




___________________________________________________________________________

Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org

?subject=unsubscribe




___________________________________________________________________________

Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org

?subject=unsubscribe




___________________________________________________________________________

Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org

?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: