Ethereal-dev: Re: [Ethereal-dev] "By design", or memory leak ?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Tue, 10 Jun 2003 09:47:17 -0700
On Tue, Jun 10, 2003 at 11:38:51AM +0200, B. Lo�c wrote:
> I noticed that TCP connect/disconnect packets (handshake and so on) are not
> stamped in the tree as belonging to a given protocol. That is, if I do
> "tethereal port ssh", I see TCP packets on port 22 with SYN and/or ACK flag
> set, but they are not stamped as "SSH".
> I know, they are not, technically, SSH packets. Those coming afterwards are,
> and are dissected as such.
> 
> But are these pakets passed on to the dissector ?

No.  We could provide a mechanism to pass on TCP (and other) connection
setup and teardown information to dissectors (passing on the packet
isn't sufficient - "passing on the packet" means passing packet *data*,
but there isn't necessarily any data to pass on).

> If yes, they can be used to
> determine when connection is over and free memory. (is it already how it is
> done ?). Of course there may be protocols which use different connections for
> request and response and thus make this useless...

And there may be protocols that don't use connections at all (e.g., ONC
RPC or DCE RPC over a connectionless transport).

> Isn't it possible to pass relevant arguments to GCC when compiling ?
> For example, pass -DREVISIT when compiling ethereal, so the dissector can
> include ethereal-specific code between #ifdef REVISIT / #endif ? And/or do
> the same for tethereal with -DNOREVISIT ?
> 
> Of course that would require recompilation of (some, if not all) dissectors
> between the builds of ethereal and tethereal... but with the speed of
> computers today, is that really a problem ?

Yes, compiling might be fast - but bear in mind that there are a lot of
dissectors to compile.

However, it would also mean that the Makefile (on both UNIX and Windows)
would have to somehow arrange to force recompilation of the dissectors
in question.

> How about two sets of dissectors,
> those which need recompiling, and those which don't ?

That would reduce the size of the problem - at the cost of requiring
people to explicitly specify the type of dissector.  People are very
unreliable creatures, and often get things wrong.

However, we could, instead, supply that information at *run* time, in
which case there's no recompilation required.