On Oct 27, 2003, at 10:54 PM, Martin Regner wrote:
Michael Cohen wrote (September 28th, 2003) in a mail to me and Luca
Micheletti:
<Current patches are maintained in a complete forensic package i have
been
<contributing to:
<
<http://www.dsd.gov.au/software/flag/
As Anders Broman has just noted, that link is broken; try
http://www.dsd.gov.au/library/software/flag/
The patch is in the "flag_ethereal_0.9.13_diff" file in the tarball.
As the name suggests, it's a patch to 0.9.13. It also appears to
include some changes whose relevance isn't obvious, such as a change to
make "proto_tree_add_int()" handle FT_FRAMENUM (bogus, as frame numbers
are unsigned in Ethereal, and "proto_tree_add_uint()" handles
FT_FRAMENUM), as well as some (sigh) C++-style comments.
It adds to the "header_field_info" structure a flag indicating whether
to include the field in the SQL dumps. This means that you declare a
field as going into the SQL dumps by adding it to the registration of
the field - i.e., that choice is *hardwired* in Ethereal, and puts some
additional stuff to put out SQL statements into specific dissectors,
such as the DNS dissector.
I.e., it does *NOT* appear to be a general mechanism for putting
arbitrary information from packets into an SQL database; it appears to
be somewhat specialized for FLAG.
If somebody's interested in "productizing" it (making it apply to the
current CVS version of Ethereal, removing bogosities and C++ comments,
and documenting it in the man page - documenting it enough to let
people know what it does and doesn't do, what fields it dumps, etc.),
or even making a more general version that doesn't hardwire stuff into
the dissectors, they should download FLAG and look at the patch.