Ethereal-dev: Re: [Ethereal-dev] more hidden fields

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jaime Fournier <jafour1@xxxxxxxxx>
Date: Thu, 20 Jun 2002 19:05:44 -0700 (PDT)
Excellent!
This is going to make my job a lot easier.
I am packet logging, and using the info field for all
my stuff, but the op code make it MUCH easier to key
on. Keeps me from post filtering it as well!


--- Tim Potter <tpot@xxxxxxxxx> wrote:
> On Tue, May 14, 2002 at 08:47:58PM -0700, Guy Harris
> wrote:
> 
> > On Wed, May 15, 2002 at 01:16:11PM +1000, Tim
> Potter wrote:
> > > This hidden field business got me thinking. 
> I've made a small change to
> > > the dcerpc init routines which allows you to
> filter by string names for
> > > dcerpc subcommands.
> > > 
> > > I've changed dcerpc_init_uuid() to take an extra
> value - a hf field
> > > which corresponds to the opnum for the
> subdissector with a value_string
> > > array associated with it.  The
> dcerpc_try_handoff() routine inserts a
> 
> [...]
> 
> > I'd thought about the same thing a while ago; I
> forget whether I
> > mentioned it to ethereal-dev or not.  (I *did*
> mention it in the comment
> > on line 1028 or so in "packet-dcerpc.c". :-))
> > 
> > I think it's the right thing to do.
> > 
> > However, you might, instead, want to *replace* the
> call *after* the
> > comment I mentioned with a call to add the
> subdissector's field as a
> > *non*-hidden field (and get rid of
> "hf_dcerpc_op").  That would let you
> > do a "Match Selected" on that entry in the
> protocol tree.
> 
> I've found a bit of spare time and implemented this.
>  There is an extra field
> in the dcerpc_uuid_value structure which holds a hf
> value.  This is
> initialised by the protocol dissector that registers
> the DCERPC
> subprotocol.  If this value is not -1, it is
> inserted into the proto
> tree!
> 
> So you can now do things like filter on
> 'spoolss.opnum == openprinterex'
> to catch all open printer requests and replies.
> 
> I'm in the process of updating all the dcerpc
> dissectors for this and if
> there aren't any objections I'd like to check it in
> later on today.
> 
> 
> Tim.
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
>
http://www.ethereal.com/mailman/listinfo/ethereal-dev


=====
Jaime Fournier

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com