I wonder if ethereal has any generic support for protocols which spread
their payload over multiple UDP packets ?
What I am talking in particular is adding support for MPEG transport
stream packets.
I started to do some work on this (people in my office love what
ethereal provides), but I am having trouble in some cases.
The transport stream packets are 188 bytes long. Usually there is a
couple of those in one UDP packet (no problem). The problems starts when
I am trying to analyze protocol covered by transport packets. It often
happens that payload of the underlying protocol (DCII - not sure the
meaning), spread across multiple ts packets. It is quite usual that
those packets are not only far apart in terms of time, but also
interleaved by other ts packets.
To add trouble to the whole picture, there is another layer (TTG) which
follows the same rules. One TTG packet can span multiple DCII packets.
The options I can see are:
- follow the model of "Follow TCP stream" and build similar "Follow ts
pid" (I don't think it is generic way, but looks better than my next
option)
- continue what I have done so far, and use regular dissect routines
(requires some data to be preserved between dissect invocation). I made
assumption that dissect routines are invoked in order of packet arrival
(no sure).
- once the last chunk of the DCII packet is detected, I can try to trace
back all the pieces and add a virtual packet to the panel (need some
neat gui linking among all packets involved).
--
Pawel
You can make a difference (it takes less than 30 seconds).
http://www.libranet.com/petition.html