Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Follow TCP stream - FTP protocol Export Object

From: Pascal Quantin <pascal.quantin () gmail com>
Date: Tue, 20 Jan 2015 13:29:39 +0100
2015-01-20 12:23 GMT+01:00 leonardocito () libero it <leonardocito () libero it>:


I am implementing object export for the FTP protocol ( File-> Export
Object -> FTP...).


I need to identify the last packet in the FTP-DATA stream for calling the
function tap_queue_packet and send the object to the gui for display.

The ideal solution would be to compare the sum of accrued payloads with
the file size. However this information is not provided in the headers.

I have thought of two possible strategies, none of wich is optimal:

   1. use the dissector transfer speed and duration for estimanting the
   approximate file lenght; however thow would require matching the FTP-DATA
   conversation and the relevant 226 code response from the header and that is
   not so straight forward.
   2. use the same approach used in the follow TCP Stream command.
   However it seems that feature is heavily based on applyng a display filter
   and seems to dependant on the gui.
   3. If I could match each FTP packet to the TCP packet that
   transported, then I could do all the checks needed to establish if the
   connection is being closed. However I have not found a way to march
   FTP-DATA packets the relevant TCP packet.

What is the best way to proceed? Can somebody please help me?



Hi,

using conv->last_frame after first pass is not sufficient? I would have
expected it to contain the frame number of the last packet belonging to the
current conversation.
Assuming that you are using the master branch (Wireshark 1.99.X), the
tcpinfo structure (that contains the TCP sequence number, next sequence
number, ...) will be given in the data parameter of the dissector. To have
access to it, you need to change the ftpdata dissector from dissector_t to
new_dissector_t (by using new_register_dissector instead of
register_dissector). If you are on a Wireshark version 1.12.X or earlier, I
think the structure can be found in pinfo->private_data.

Regards,
Pascal.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: