Wireshark mailing list archives
Re: Hierarchy of fields & offsets again, more potential offenders
From: "Sultan, Hassan via Wireshark-dev" <wireshark-dev () wireshark org>
Date: Tue, 8 Aug 2017 21:55:31 +0000
-----Original Message----- From: Wireshark-dev [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Alexis La Goutte Sent: Tuesday, August 08, 2017 2:09 PM To: Developer support list for Wireshark <wireshark-dev () wireshark org> Subject: Re: [Wireshark-dev] Hierarchy of fields & offsets again, more potential offenders On Tue, Aug 8, 2017 at 12:29 AM, Sultan, Hassan via Wireshark-dev <wireshark- dev () wireshark org <mailto:wireshark-dev () wireshark org> > wrote: Hi Hasan, Can you share your tools ? i can be add to wireshark for found some violation/error...
I am hoping to do exactly that at some point, it's still in early stages at this point though.
Coming back on this and how to solve it, here's a suggestion I have, let me know what you guys think : - Whenever a field is really a helper rather than the actual parsed data (an alternate representation of data in the packet for example, here tcp.payload would be the alternate representation of the data parsed in the following layers) mark the field as FI_GENERATED, or create a new flag for helper fields and mark them as such It is a idea but GENERATED it is not the good field.. it is not possible to ignore some hf on your tools ?
It would be possible but not scalable. People add new dissectors to Wireshark or modify them all the time, and as a result keeping static lists is not something that works long term. We'd need an automated way of recognizing such fields. Hence the idea of a flag... Ultimately I think it would be really super valuable to be able to differentiate fields that are a direct mapping of what is in the packet (in terms of offset/length/datatype) and those that are some interpretation of packet content.
In the case here, tcp.payload would stay under tcp, but flagged as FI_GENERATED or FI_HELPER (or whatever we'd call the flag). The NTLMSSP cases further in the list I gave has a similar case, where an FT_STRING field is present as a helper so the person looking at the parsed packet immediately sees what the offset/length of the string correspond to, but the string it represents is data located in a very different position in the packet and which already has another field representing it. NTMLSSP (and other dissector like GQUIC) use a map-value entry for field and yes, it is a complicated for display this case on Wireshark... and i don't have solution... Adding a flag has the advantage that automation can easily identify these fields and act accordingly (for example to ignore them). Thoughts ? -----Original Message----- From: Wireshark-dev [mailto:wireshark-dev-bounces () wireshark org <mailto:wireshark-dev-bounces () wireshark org> ] On Behalf Of Sultan, Hassan via Wireshark-dev Sent: Wednesday, August 02, 2017 2:09 PM To: Developer support list for Wireshark <wireshark-dev () wireshark org <mailto:wireshark-dev () wireshark org> > Cc: Sultan, Hassan <sultah () amazon com <mailto:sultah () amazon com> > Subject: Re: [Wireshark-dev] Hierarchy of fields & offsets again, more potential offenders So if this needs to be fixed, but we can't change the tcp protocol length, nor move tcp.payload to the top-level, what are the options left ? My personal view is towards being able to process the information in an automated manner. I'd personally strive for some type of consistency, but I'm not sure what the options are here. > -----Original Message----- > From: Wireshark-dev [mailto:wireshark-dev-bounces () wireshark org <mailto:wireshark-dev-bounces () wireshark org> ] On > Behalf Of Stig Bjørlykke > Sent: Wednesday, August 02, 2017 1:24 PM > To: Developer support list for Wireshark <wireshark- dev () wireshark org <mailto:wireshark-dev () wireshark org> > > Subject: Re: [Wireshark-dev] Hierarchy of fields & offsets again, more > potential offenders > > On Wed, Aug 2, 2017 at 10:03 PM, Sultan, Hassan via Wireshark-dev > <wireshark- dev () wireshark org <mailto:dev () wireshark org> > wrote: > > Regarding tcp.payload, I don't think tcp.payload in itself has any > > problems. I > think the issue lies in tcp showing a length of 32 only, even though > it has tcp.payload as its child. > > The tcp.payload field was recently added, have a look at > https://code.wireshark.org/review/22374 <https://code.wireshark.org/review/22374> > > I do agree that this is displayed wrong and should be fixed. > Increasing the length of the TCP header would be wrong because the > payload is dissected by upper protocols and does belong with the TCP > header. Putting it at top level would also be wrong because it's not a protocol. > > > -- > Stig Bjørlykke > _________________________________________________________________ > __________ > Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org <mailto:wireshark-dev () wireshark org> > > Archives: https://www.wireshark.org/lists/wireshark-dev <https://www.wireshark.org/lists/wireshark-dev> > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark- dev <https://www.wireshark.org/mailman/options/wireshark-dev> > > mailto:wireshark-dev-request () wireshark org <mailto:wireshark-dev- request () wireshark org> ?subject=unsubscribe __________________________________________________________ _________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org <mailto:wireshark-dev () wireshark org> > Archives: https://www.wireshark.org/lists/wireshark-dev <https://www.wireshark.org/lists/wireshark-dev> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark- dev <https://www.wireshark.org/mailman/options/wireshark-dev> mailto:wireshark-dev-request () wireshark org <mailto:wireshark- dev-request () wireshark org> ?subject=unsubscribe __________________________________________________________ _________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org <mailto:wireshark-dev () wireshark org> > Archives: https://www.wireshark.org/lists/wireshark-dev <https://www.wireshark.org/lists/wireshark-dev> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark- dev <https://www.wireshark.org/mailman/options/wireshark-dev> mailto:wireshark-dev-request () wireshark org <mailto:wireshark- dev-request () wireshark org> ?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Hierarchy of fields & offsets again, more potential offenders Sultan, Hassan via Wireshark-dev (Aug 01)
- Re: Hierarchy of fields & offsets again, more potential offenders Pascal Quantin (Aug 02)
- Re: Hierarchy of fields & offsets again, more potential offenders Pascal Quantin (Aug 02)
- Re: Hierarchy of fields & offsets again, more potential offenders Sultan, Hassan via Wireshark-dev (Aug 02)
- Re: Hierarchy of fields & offsets again, more potential offenders Pascal Quantin (Aug 02)
- Re: Hierarchy of fields & offsets again, more potential offenders Stig Bjørlykke (Aug 02)
- Re: Hierarchy of fields & offsets again, more potential offenders Sultan, Hassan via Wireshark-dev (Aug 02)
- Re: Hierarchy of fields & offsets again, more potential offenders Sultan, Hassan via Wireshark-dev (Aug 07)
- Re: Hierarchy of fields & offsets again, more potential offenders Alexis La Goutte (Aug 08)
- Re: Hierarchy of fields & offsets again, more potential offenders Sultan, Hassan via Wireshark-dev (Aug 08)
- Re: Hierarchy of fields & offsets again, more potential offenders Pascal Quantin (Aug 02)
- Re: Hierarchy of fields & offsets again, more potential offenders Pascal Quantin (Aug 02)
- Re: Hierarchy of fields & offsets again, more potential offenders Pascal Quantin (Aug 09)
- Re: Hierarchy of fields & offsets again, more potential offenders Alexis La Goutte (Aug 09)
- Re: Hierarchy of fields & offsets again, more potential offenders Pascal Quantin (Aug 09)
- Re: Hierarchy of fields & offsets again, more potential offenders Stig Bjørlykke (Aug 10)
- Message not available
- Re: Hierarchy of fields & offsets again, more potential offenders Pascal Quantin (Aug 10)
- Re: Hierarchy of fields & offsets again, more potential offenders Sultan, Hassan via Wireshark-dev (Aug 11)
- Re: Hierarchy of fields & offsets again, more potential offenders Sultan, Hassan via Wireshark-dev (Aug 03)