Ethereal-dev: Re: [Ethereal-dev] Packets Spanning Packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Fri, 2 Mar 2001 11:58:35 -0800 (PST)
>    Ummm, I think this is what I mean. After the fragments have been
> reassembled, their payload is treated as a stream (ignoring the individual
> packets that carried them). "High level" packets are detected in this
> stream, and they are displayed. 

If that's what you mean, then the high-level packets would be displayed
in the same way the frames are displayed - there'd be a window giving a
list of packets, showing a summary of the packets, and allowing you to
click on a packet in that list, and a window giving a protocol-tree view
for the currently-selected packet, allowing you to open and close the
various tree nodes.

This means you'd have to do a fair bit of GUI work as well to create
those new windows, add callbacks for operations such as selecting a
packet in the list, etc.

> > However, a frame view would - and supporting some level of 
> > reassembly at
> > the frame level could be useful.
> 
>   Is this the current view that ethereal provides?

Yes.

> > Hand dissectors for protocols running atop TCP the TCP payload, *with
> > duplicate data excised, and with the dissectors called with 
> > the payload
> > data in time order*.
> 
>    Ummm, wouldn't we want to elide the data together? Provide the
> higher-level (ie, stream level) dissectors with something like a single
> tvbuff that represents the entire contents of the stream.

There is no guarantee that the entire stream would fit into memory. 
(No, there really is *NO GUARANTEE*, because somebody could decide to do
a Really Long Capture.)

> > (Note that no matter *WHAT* you do, the dissectors will have 
> > to be able
> > to cope with *missing* data; even if there was no missing data on the
> > wire, it might not have been captured....)
> 
>    In a high level (over TCP) protocol, why would we deal with missing data?
> The OS would not inform the application about the missing data until it had
> been recovered. 

"The application" being discussed here is Ethereal, not Gnutella, and
the level of "the OS" it's dealing with has *no clue* that there *is*
any missing data - it's not receiving data from the TCP implementation,
it's receiving data from the *raw link-layer* implementation.