Ethereal-dev: Re: [Ethereal-dev] Heuristic Dissectors for Serial Protocols Encapsulated in TCP

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Thu, 27 Jan 2005 09:52:36 +0100
Neal Winblad wrote:

Gentlemen,

We would like to use Ethereal to look at not only Ethernet traffic but also various serial protocols which we will ship over Ethernet, encapsulated in TCP packets. We would like to write dissectors for these various protocols (e.g. Pan-Tilt-Zoom CCTV control, NTCIP variable message highway signs, RTMS radar detectors, etc.). Since these protocols were intended for direct serial connections they typically have no identification in the header as to what protocol these devices are speaking. We plan to use terminal servers manufactured by Digi International to translate from Ethernet network to serial port data. Digi has a protocol called Realport that runs on top of TCP and would have a TCP port number that would correspond to which serial port on the Digi box the serial signal it be routed to. Knowing that a particular protocol is being spoken on a given port of a given terminal server, we could presumably write a dissector that would know that at this given port # and IP address a given protocol is being spoken. Trouble is, there might be a couple dozen other addresses/ports also talking this same protocol. And, on the next project the addresses and ports will likely change. Is there a configuration file that could be filled in on a project by project basis that would do this mapping?

Like some other protocol dissectors, you could write a dissector named Digi which could have a set of some preference settings like Port1 [number] Protocol1 [protocol] Port2 [number] ...

So your users can select let's say Port1 to be 14121 with the Protocol2 Pan-Tilt-Zoom and so on for Port2, Port3, ...

If I do understand you correct, these settings won't change very often, so this might be a usable way to go.

Or, we could put some protocol identifying characters in front of the Start-of-Header characters in the serial protocol that would allow a heuristic dissector to be able to identify them. Trouble here is that some of these serial protocols can�t afford the latency hit of these extra padding characters (e.g. Pan-Tilt-Zoom control can get sluggish and overshoot the scene you want to move the camera to). Can we add these identifier padding characters one time and Ethereal will learn what protocol is on what port/IP and then remember it for future packets?

Some dissectors currently do it that way, but usually on a packet-by-packet basis only, looking at traffic content from/to well-known ports.

If so, will it remember this configuration information or would we have to send them again every time Ethereal is opened up?

It's currently not possible to have such settings saved at runtime for usage in the next Ethereal run.

Looking for your ideas on how to best accomplish this objective.

Hope this helped a bit,

Regards, ULFL