Ethereal-users: Re: [Ethereal-users] Pardon if this is a FAQ: How can I make additions to the di

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 18 Jul 2003 13:52:36 -0700

On Friday, July 18, 2003, at 10:13 AM, Brad Wilson wrote:
Is there an easy way to add onto the display filters or would this require recompiling the application? For example, if there are additions to the MAPI decoder is it easy to add Unknown Opcodes? 

It requires recompiling the application.
Conceivably, we could allow an existing display filter field that has a list of name/value pairs to have the name/value pair list come from a file, but we haven't done that het. However, ideally, for the MAPI decoder we'd like to have it not only report the name for the opcode but also dissect the operation, which is harder to make possible without recompiling Ethereal.
It might be interesting to devise an interpretive language for packet dissection (that's what Wildpacket's network analyzers have, a fake machine language) to let people change dissectors without having to recompile Ethereal; we could, for example, have something that takes DCE RPC IDLs and turns them into that code, which would let the MAPI dissector dissect new packet types. (It might take a "decorated" version of IDL, so that it can dissect the bits in an integer with bitfields, for example, or save the value in a field for use later.)
However, we'd want that interpreter to be reasonably efficient, given that we dissect every packet when we read the capture in (we currently do that to
1) set the column titles - we might be able to eliminate the need to do that by generating them as the row is displayed;
2) build up state needed to dissect subsequent packets in the capture, the need for which is harder to eliminate). A translator to native machine language would help, but the problem is that we have a lot of native machine languages on which Ethereal runs (probably all the machine languages for all the platforms that Debian supports - x86, M68K, SPARC, Alpha, PowerPC, ARM, MIPS, PA-RISC, IA-64, System/390 - at minimum).
If you add new MAPI decodes, we'd like it if you can contribute the updates, although whether your management would let you do so is another matter. 


Brad E. Wilson - MCSE, MCSA
Microsoft Outlook Beta Engineer
bwilson@xxxxxxxxxxxxx
Microsoft lets you use GPLed software? Or are you not using it inside Microsoft? They're not telling you to use Network Monitor instead?
(By the way, do the current versions of Outlook and Exchange support the In-reply-to and References mail headers? If not, will there ever be a version that does so? If not, consider this a request that they do so - it makes threading work much better with non-Outlook/non-Exchange clients.)