Ethereal-dev: Re: [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "Martin Regner" <martin.regner@xxxxxxxxx>
Date: Wed, 27 Apr 2005 07:25:28 +0200
Hi,
Sigcomp dissector is already using the new dissector style and will only try to decode the UDP-packets where the first
byte is
matching a certain pattern:
/* Code to actually dissect the packets */
static int
dissect_sigcomp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
:
:
/* Is this a SigComp message or not ? */
octet = tvb_get_guint8(tvb, offset);
if ((octet & 0xf8) != 0xf8)
return 0;
If this check fails then Ethereal will continue with the next dissector, but please note that there can currently only
be one dissector
for a certain port. That is the problem you are having. Your dissector tries to register for port number 6666 which
SIGCOMP
dissector has already registered.
The ports that are used in SIGCOMP dissector are configurable from Edit/Preferences/Protocols /SIGCOMP.
Currently the values 5555 and 6666 are used when Etheral is installed.
You can change those values and save the configuration.
----- Original Message -----
From: "Anders Broman (AL/EAB)" <anders.broman@xxxxxxxxxxxx>
To: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>; "Ethereal development" <ethereal-dev@xxxxxxxxxxxx>
Sent: Tuesday, April 26, 2005 12:22 PM
Subject: RE: [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump
Hi,
I'll look at changing Sigcomp but I don't know when I'll have the time to do it.
Best regards
Anders
-----Original Message-----
From: ethereal-dev-bounces@xxxxxxxxxxxx
[mailto:ethereal-dev-bounces@xxxxxxxxxxxx]On Behalf Of ronnie sahlberg
Sent: den 26 april 2005 11:44
To: Ethereal development
Subject: [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump
heur_dissector_add() is the right first step, but is only really
appropriate if netdump does use other ports as well.
If netdump is always using port 6666 which clashes with sigcomp then
the real solution (==more work)
would be to
1, change sigcomp to become a "new style" dissector (==one that
returns a boolean and not void and which first checks "does this look
this protocol? if not return 0 and let ethereal try the next possible
match."
2, change netdump to also be a new style dissector.
New style dissectors (all dissectors should eventually be changed to
new-style since birthday effect and such makes these clashes more
likely everytime we add a new dissector)
use new_create_dissector_handle() instead of create_dissector_handle().
Please see packet-xot.c for a small example of it. Notice that the
main dissector returns 0 if it doesnt think it looks like xot!
Both sigcomp and netdump needs to be changed to be new-style.
Maybe Anders or someone else from the telco crowd can change sigcomp
to the new style in preparations for netdump ?
Anders?
(im reluctant to touch that one myself since i dont use that protocol
myself and am not familiar at all with it...)
On 4/25/05, Eric Paris <eparis@xxxxxxxxxxxxxx> wrote:
> Guess I'm supposed to give an svn diff, so here it is.
>
> Eric
>
> On Mon, 2005-04-25 at 14:10 -0400, Eric Paris wrote:
> > Attached is a file packet-netdump.c which should dissect netdump
> > packets. Netdump is the protocol used to send crash information like
> > the stack and memory contents to a netdump server when a linux machine
> > panics/opps.
> >
> > This is my first attempt at a dissector, so please let me have any
> > comments on any problems you see.
> >
> > Netdump uses port UDP 6666 which is also defined by packet-sigcomp.c. I
> > don't have any traces which result in parsing these type of packets so
> > I'm not sure how to make sure it is still picking those up. I found
> > that just registering port 6666 with dissector_add caused the sigcomp to
> > still get tried and my netdump to never get tried. So I registered with
> > heur_dissector_add and it started trying my dissector second. So I can
> > only assume that it will get those others. I'm not sure what the right
> > way is to do this. Please comment if this was not right or if there is
> > a better way.
> >
> > I have a netdump capture with netdump traffic but its about 40 megs long
> > (dumping memory does generate a lot of traffic), please let me know if
> > access to this is needed.
> >
> > Eric
> > _______________________________________________
> > Ethereal-dev mailing list
> > Ethereal-dev@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
>
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev
- Follow-Ups:
- [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump
- From: ronnie sahlberg
- [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump
- References:
- RE: [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump
- From: Anders Broman (AL/EAB)
- RE: [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump
- Prev by Date: [Ethereal-dev] Buildbot crash output
- Next by Date: Re: [Ethereal-dev] cannot find_dissector
- Previous by thread: RE: [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump
- Next by thread: [Ethereal-dev] Re: New dissector for Red Hat/Fedora netdump
- Index(es):