Ethereal-dev: RE: [Ethereal-dev] Packets Spanning Packets
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Evan Hughes <ehughes@xxxxxxxxx>
Date: Fri, 2 Mar 2001 10:29:58 -0500
From: Guy Harris [mailto:guy@xxxxxxxxxx] > Are you trying to do a stream view, or a packet view, or a frame view? > > A stream view - in the sense of what Follow TCP Stream does, i.e. > showing a window that shows a textual display of a conversation, > *without* having a list of individual packets and a protocol tree > display for each packet - wouldn't show the out-of-order and duplicate > packet information. > > Neither would a packet view, in the sense of a view showing: > > a scrolling packet list window, with one line per higher-level > packet; > > a protocol tree pane, showing the protocol tree for the > currently selected higher-level packet (meaning it would start > the dissection at the first protocol layer *above* the > framgentation - UDP for NFS-over-UDP, ONC RPC for NFS-over-TCP, > NetBIOS Session Service for SMB-over-NetBIOS-over-TCP, etc.; > lower-level stuff, such as the link layer or IP, wouldn't show > up in that protocol tree). Ummm, I think this is what I mean. After the fragments have been reassembled, their payload is treated as a stream (ignoring the individual packets that carried them). "High level" packets are detected in this stream, and they are displayed. > However, a frame view would - and supporting some level of > reassembly at > the frame level could be useful. Is this the current view that ethereal provides? > > > It might make sense to flesh out the "follow stream" > window: instead of > > showing just the text of the stream, break it down into > packets in the same > > style that the main window is displayed. > > Is that a stream view or a packet view, in the taxonomy above? It's a packet view (ie, showing Gnutella packets) on the stream. The packets that carried the stream are ignored: we don't care how the stream got here, just what it carries. > > On a related topic: Would the standard dissector > signature work on a > > stream? As I understand it, dissectors are called on > packets with a known > > size. > > It wouldn't work on a TCP stream. Okay. That was what I was wondering. ... > Hand dissectors for protocols running atop TCP the TCP payload, *with > duplicate data excised, and with the dissectors called with > the payload > data in time order*. Ummm, wouldn't we want to elide the data together? Provide the higher-level (ie, stream level) dissectors with something like a single tvbuff that represents the entire contents of the stream. The dissector would be responsible for finding the start and end points of the current packet, chopping it up, and telling ethereal where in the stream the packet ends. > (Note that no matter *WHAT* you do, the dissectors will have > to be able > to cope with *missing* data; even if there was no missing data on the > wire, it might not have been captured....) In a high level (over TCP) protocol, why would we deal with missing data? The OS would not inform the application about the missing data until it had been recovered. > The dissector would dissect what packets it can in that TCP > segment. If > it finds that the last packet is continued in a subsequent segment, it > would remember what state information it had maintained, and > would, when > the next segment came in, see whether that completes the > packet. If so, > it'd then dissect that packet, and continue processing the segment; if > not, it'd update the state information and continue. Would the dissector have to be responsible for maintaining state here? It'd be really nice if ethereal silently paused the high-level dissector until enough data came in to fill the dissectors request, at which point the dissector is allowed to continue. I'm imagining that the same high-level dissector would be passed the same (composite) tvbuff repeatedly. The dissector would request a few fields per high-level packet. If the dissector requested more data than the tvbuff held, it would be paused. When the tvbuff grew past the size of data the dissector requested, the data request would be fulfilled and control passed back to the dissector. > If this is being used for a stream view, that would be sufficient; the > protocol tree text would be dumped into the stream window, > presumably in > "expand all levels" form. I was thinking of something along the lines of only showing the high level packets. You wouldn't see anything below (since that can be tracked in the current ethereal ui). Is this what you mean? > If this is being used for a *packet* view, however, it would have to > remember, for each packet in the packet list, enough information so > that, when you click on that packet, it can find the frames that > comprise the packet, and the parts of the first and last > frame that are > included in the packet. Sound hard. > And if this is being used for a *frame* view, it would have to attach > that information to the frames. Ditto. e
- Follow-Ups:
- Re: [Ethereal-dev] Packets Spanning Packets
- From: Guy Harris
- Re: [Ethereal-dev] Packets Spanning Packets
- Prev by Date: Re: [Ethereal-dev] Packets Spanning Packets
- Next by Date: RE: [Ethereal-dev] Registering nonstandard protocol ports w/o rec ompi ling
- Previous by thread: Re: [Ethereal-dev] Packets Spanning Packets
- Next by thread: Re: [Ethereal-dev] Packets Spanning Packets
- Index(es):