On Mon, Aug 12, 2002 at 12:02:54PM -0400, Gautham Thavva wrote:
> I am confused about what the PARENT_SUBFIELD and ID_VALUE should be.
> I thought that the PARENT_SUBFIELD should be udp.proto (like ip.proto)
> I couldn't find udp.proto.
The IP header has a field that specifies the protocol that's being used
on top of IP. There are only a small number of protocols that run
*directly* atop IP (e.g., TCP, UDP, ICMP, OSPF, SCTP), so it's
reasonable to assign numbers to those protocols. Furthermore, the model
is that there is, on a given network endpoint, only one TCP
implementation, only one UDP implementation, only one ICMP
implementation, etc., so you don't need to identify which particular
TCP, etc. instance is sending the packet or to which TCP, etc. instance
the packet is being sent.
However, for TCP and UDP, there is no such small set of protocols, *and*
there can be multiple instances endpoints for a given protocol - e.g.,
you could have multiple programs running on a machine sending mail over
SMTP, and you could have multiple server processes on a machine
accepting that mail - so there's no "protocol ID" field in the TCP or
UDP header.
Instead, there are "source port" and "destination port" fields, which
identify the endpoints. Sometimes a particular port number is assigned
to a protocol, and that port number is used for *one* of the endpoints.
If there's a particular port number assigned to LAPV-over-UDP, you would
use "udp.port" as the PARENT_SUBFIELD and the port number as the
ID_VALUE.
If there *isn't* a particular port number assigned to LAPV-over-UDP,
it's not that easy. Ethereal can't magically intuit what a particular
port number is being used for; at best, it can try to *guess* what the
port number is being used for by looking at the packet's contents.
If that's possible with LAPV-over-UDP (I know nothing about LAPV, so I
have no idea whether that's feasible), you'd write a heuristic
dissector.
If that's *not* possible with LAPV-over-UDP, you'd have to add a
protocol preference for LAPV-over-UDP that specifies the port number.