I've been working on a Socks dissector. It is mostly working, but I have
some problems. It is a state machine that decodes the incoming TCP stream
and modifies the current state until the entire socks initialization
routine is done. Then the socks remote port is used to call another TCP
dissector to handle the data in the socks connection. Each socks connection
is kept in a hash table based upon the source address and port, and
destination
address and port. The problem I'm running into is how to clear the hash
table
between captures. After spending this time looking at decoding at TCP
stream
I've come to appreciate the problems decoding a command/response
conversation
in a TCP stream.
1) Is there a method to re-initialize a dissector ?
2) It would be nice if the TCP dissector would call a method when a new
connection is created.
3) It would be nice if the TCP dissector would call a method when a new
connection is closed.
What I would really like to see is a call to register a protocol on a TCP
port something like this...
register_tcp_port( guint16 port,
(void)(*dissector_initialize)(...), /* called at
start of capture */
(void)(*dissect_new_connection)(...), /* called when SYN
happens */
(void)(*dissect_data)(...), /* called
during data stream */
(void)(*dissect_close_connection)(...), /* called when FIN
happens */
);
Comments/Question/Suggestions ??
Jeff Foster
jfoste@xxxxxxxxxxxx