On Friday, July 18, 2003, at 10:13 AM, Brad Wilson wrote:
Is there an easy way to add onto the display filters or would this
require recompiling the application? For example, if there are
additions to the MAPI decoder is it easy to add Unknown Opcodes?
It requires recompiling the application.
Conceivably, we could allow an existing display filter field that has a
list of name/value pairs to have the name/value pair list come from a
file, but we haven't done that het. However, ideally, for the MAPI
decoder we'd like to have it not only report the name for the opcode
but also dissect the operation, which is harder to make possible
without recompiling Ethereal.
It might be interesting to devise an interpretive language for packet
dissection (that's what Wildpacket's network analyzers have, a fake
machine language) to let people change dissectors without having to
recompile Ethereal; we could, for example, have something that takes
DCE RPC IDLs and turns them into that code, which would let the MAPI
dissector dissect new packet types. (It might take a "decorated"
version of IDL, so that it can dissect the bits in an integer with
bitfields, for example, or save the value in a field for use later.)
However, we'd want that interpreter to be reasonably efficient, given
that we dissect every packet when we read the capture in (we currently
do that to
1) set the column titles - we might be able to eliminate the need to
do that by generating them as the row is displayed;
2) build up state needed to dissect subsequent packets in the capture,
the need for which is harder to eliminate). A translator to native
machine language would help, but the problem is that we have a lot of
native machine languages on which Ethereal runs (probably all the
machine languages for all the platforms that Debian supports - x86,
M68K, SPARC, Alpha, PowerPC, ARM, MIPS, PA-RISC, IA-64, System/390 - at
minimum).
If you add new MAPI decodes, we'd like it if you can contribute the
updates, although whether your management would let you do so is
another matter.
Brad E. Wilson - MCSE, MCSA
Microsoft Outlook Beta Engineer
bwilson@xxxxxxxxxxxxx
Microsoft lets you use GPLed software? Or are you not using it inside
Microsoft? They're not telling you to use Network Monitor instead?
(By the way, do the current versions of Outlook and Exchange support
the In-reply-to and References mail headers? If not, will there ever
be a version that does so? If not, consider this a request that they
do so - it makes threading work much better with
non-Outlook/non-Exchange clients.)