On Oct 21, 2003, at 1:30 PM, Dinesh G Dutt wrote:
The basic problem has to do with marking a frame as a "Malformed
Frame". It is
possible with the MDS family of switches & analyzer adapters to
truncate frames
delivered to Ethereal to prevent fewer frame drops and for other
reasons.
That sounds as if it's the same thing as the snapshot length when
capturing; the only difference is that the actual frame length isn't
made available, so the frames show up as "Malformed" rather than
"Short". Ideally, there'd be some way to get the actual frame length,
in which case the frame would be reported as "Short".
Separately, in SCSI, an initiator may allocate fewer bytes than
required to return a response. For example, a normal INQUIRY response
is about
48 bytes long, but there are lots of cases where hosts allocate as few
as 4
bytes. In each of these cases, the frame is smaller than normal.
In cases where the SCSI protocol allows that, the SCSI dissector should
allow for responses that are shorter than the "normal" size.
It would be slow and bad for readability to check for every field if
there are
sufficient bytes present.
We do that in other places; are you certain it'd really be that bad to
do it in the SCSI dissector?
What I was thinking was to instead add a field to the
packet_info structure called "truncated". If this bit is set, instead
of
marking a frame as malformed when an exception is thrown, we should
mark the
frame as "truncated".
The two cases you present are different.
In the first case, the problem is that we can't distinguish a short
frame (cut short by the snooping process) from a malformed frame (a
frame that really *is* short). Absent the actual frame length, there's
not much you could do other than indicate that the frame should be
marked as "short" (with the existing "Short Frame" mechanism) rather
than "malformed".
In the second case, it sounds as if the frame shouldn't be marked *at
all*.