Unfortunately, I have been unable to share my work on extending ethereal
with the general developer community. I hope to be able to use the
recent push for graphing as a window to share some of the work that I've
done. I won't know if I can share anything until late next week at
the earliest, but I still want to share what kind of implementation I've
done in the hope that it will help with the conceptual development... and
hopefully pave a way to allow some of my stuff to get incorporated into
the core ethereal source. It is currently based on STL, but
I know that glib provides similar functionality and that this stuff could
be ported over with some effort.
Now that I've gotten that out of the way...
In a nutshell, I've merged protocol hierarchy statistics with graphing/rate
graphing capabilities. I didn't just do protocol hierarchy statistics
though... I tried to adopt a more generic structure. I adopted a
hierarchical structure for accessing data to graph, exactly what was in
the hierarchy was left open.
Before I describe implementations that I've used, I want to give some
examples of just what kind of information was held in the hierarchy...
Here is a snippet from my current config file
(reformatted a bit to look right in my e-mail editor... probably terrible
in other editors...)
TABLE
NAME IP_SRC_DST
ID 9
KEY ip.src
KEY ip.dst
VALUE ip.len
PLOT YES
ENABLE YES
this generates a hierarchy with 2 levels (beyond separation by table
ID)
You can access graphs by looking just at the source ip address
(graphs currently are rate graphs, packet size histograms, and mean value
per time interval) You can also access graphs by looking at the source
ip address + destination ip address pair. I currently restrict the
VALUE to be any numerical filterable field. The KEY fields are fvalue_t
and can be any filterable field in ethereal.
I've added a bit of code to find when a packet is first being dissected
(generally in the file load stage or "update list of packets in real time"...)
My method was to walk the tree generated by the ethereal dissectors.
I've even implemented a browsing of the tree that conforms with stuff such
as OSPF's LSA's. (I also have modified packet-ospf to have some filterable
fields... I have not submitted the patch for that yet, but do plan to do
so soon) The graphs/summaries can be displayed in both ethereal and
tethereal. Ethereal has a gtk implementation that it uses for displaying
the hierarchical information. It is currently based on a list instead
of a tree, but has a set of boxes to specify what to show in the list...
Graphing in ethereal is done with a modified version of gtkfigure.c...
something I found online. The original author does not reply to e-mails...
:( I like it because it makes matlab-like plots... Tethereal
writes tables to files. What it puts in the table has an analogous
structure to the the list in ethereal. The "what to show" filters
are the same... Tethereal also writes out time series data to a file
which I then can open/analyze in matlab...
I also have an older, less well integrated form of this stuff, but I
won't describe it here...