Re: Dissector for stream data

[Andriy Beregovenko <jet () jet kiev ua>]

Hi,

Also I got another problem:
If I open dump, select frame, and push 'END' I move to end of dump.
At this time all frames between first few frames and few last frames, not
decoded, so I can't correct decode last frame.
Question is: how I can walk through all frames that will be passed to
dissector if we look frames one-by-one? 

On Mon, Dec 19, 2011 at 03:42:05PM +0100, Jaap Keuter wrote:
> On 2011-12-18 14:17, Andriy Beregovenko wrote:
>
> > Hi,
> >
> > Now i'm writing dissector for some kind of traffic. I'm already
> > got basic
> > knowledge in dissector writing, so first primitive version was
> > already done.
> > But now, when I try to complete fully featured version of
> > dissector I got
> > many trobles with routine. So I'm looking for good advice from
> > experienced
> > developers.
> > First of all, let me describe my traffic a little:
> > - most part of traffic is crypted(with rc4)+compressed(with mppc),
> > not
> > crypted is only few start frames;
> > - few start frames(or packets) have rc4 key inside itself;
> >
> > So I do next. When I dissect traffic, i looking for first frames,
> > reads rc4
> > keys from it and put it into static variable, so all other
> > frames(packets)
> > now can be correct decrypted. But I need to decompress(with MPPC),
> > and here
> > I got my troubles, cause I can decompress only 'linearly' incoming
> > data
> > (this is MPPC specific feature), so I'm stuck here. Please, point
> > me to
> > right way to implement such type of dissector.
> > -- Best regards, Andriy 0xBDDBDAE3
>
> Hi,
>
> Two things to be aware of:
> 1. Using statics to store dissection related data (key material in
> your case)
>    is bad style. Why? Image what happens when there are two streams
> in your
>    capture. Which key are you going to store?
>
> 2. You have to be aware that Wireshark accesses frames in random
> order all
>    all the time. Only the first pass is sequential.
>
> Because of 1. there is the notion of 'conversations'. Per
> conversation you
> can store protocol related data (your key). Every time you are asked to
> dissect a packet (remember, this can be in random order!), you have
> access to
> this stored data, in your conversation data.
>
> Because of 2. you can setup your conversation data (your key) on the
> first
> pass (see PINFO_FD_VISITED macro) and use it later on.
>
> Read through doc/README.developer for these subjects.
>
> Thanks,
> Jaap
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

-- 
Best regards,
Andriy
0xBDDBDAE3

Attachment: signature.asc
Description: Digital signature

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe