Hi.
theese questions could probably be answered by looking at the source code,
which I already did, however as ethereal is a big and complex program, it's
hard for someone outside to gain an overall view of it's design. So I
figured my questions would be best answered by someone who works on it.
1. how does ethereal store packets internally and in what form?
2. Are packets dissected at capture time, or are they dissected when the
user "views" the packet?
3. which approaches does ethereal use to determine/detect application layer
protocols?
4. when a packet is captured, is the packet handled by it's own thread?
why/or why not?
I would be very happy if someone could briefly answer one or more of theese
questions.
As you may have guessed, Im writing a packet sniffer as a hobby project, but
im lossing my sleep over some of the design issues arround the engine that
captures and dissect packets. I've thought up a number of different
solutions, but they are either inefficent, slow, stupid, messy, memory
intensive etc.
I just want to avoid shooting myself in the foot.
Thanks in advance.
Regards,
Ole H. Halvorsen.