Re: Proposed new pcap format

[Guy Harris <guy () alum mit edu>]

On Apr 14, 2004, at 12:06 AM, Jefferson Ogata wrote:

> Additional protocol dissectors for protocols unknown to 
> tcpdump/tethereal could be written in any language with XML support 
> (preferably event-based). In fact, many protocol analyzers could be 
> written directly in XSLT/XPath and processed using xsltproc. Among 
> other things, this provides many means to eliminate the continuing 
> problem of buffer overflows.

And those means are?  XSLT looks as if it's primarily oriented towards 
processing structured XML documents, not towards processing a lump of 
raw binary data, which is what a protocol dissector does (even in an 
XML capture file, where it's still a lump of raw binary data that 
happens to be base-64 encoded).  Perhaps it can be beaten into doing 
those sorts of dissection, but I'm not sure I see a good match between 
the tool and the job - about all that XSLT appears to give you for free 
is the ability to output XML, but that's only the end stage of 
dissection, and the buffer overflows in tcpdump are either the result 
of going past the end of the *input* data or perhaps copying from that 
data into a fixed-length buffer - perhaps XSLT implementations do 
bounds checking for you, but that just means that the problem is a lack 
of bounds checking; there might be other ways of getting that bounds 
checking done (e.g., having some *other* higher-level language in which 
to write dissectors, which might be compiled into C code that does all 
the relevant bounds checking, etc.).

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.