Ethereal-users: Re: [Ethereal-users] HTTP Dissector & reassembler, tethereal, and mirroring a we

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Thu, 17 Feb 2005 11:44:19 -0800
Jon Passki wrote:


Is it correct to say that the HTTP dissector might call other
dissectors based upon the media type encountered in an HTTP
session?
Yes. Any dissector that has registered itself for a particular media type (or, rather, "medium type" :-)) will be called for HTTP contents of that media type (although note that we don't currently do HTTP entity body reassembly if there's no Content-Length header). 


Is there a listing of available dissectors (outside of code)?


No.


By a web page, I mean a hierachal representation of the media type
data (e.g. HTML [text/html], JPEG [image/jpeg], etc) within the
HTTP session.   I see now that it probably wouldn't make sense in
the HTTP dissector.  Perhaps this could be a feature on exporting
the data?  E.g.,when a JPEG is exported from an HTTP session,
somewhere (filename, companion file, directory structure, whatever)
there is information that I can use to associate it to a larger
group of sessions.  This could be the absolute URI or absolute path
and Host field, time & date, and/or whatever else makes sense.
You could, I guess, linearize it, and write out the top-level page first, and then write out the data fetched when loading that page, with some sort of headers (perhaps just as a sequence of HTTP replies, with Content-Length headers added if missing so that the end of each component can always be found, and perhaps with some of the headers rewritten if, for example, what's saved is uncompressed when it was transferred as compressed, or de-chunked when it was transferred as chunked).
Note, of course, that there's no guarantee that all the components of the page will be transferred - the browser might have, for example, cached the images in the page.
It might be worth seeing whether the Chaosreader program mentioned by Mark Grigsby would be easier to modify to do the stuff you want; that's the nice thing about using libpcap format for captures - it means that there are many tools that can process capture files, so you don't have to have Ethereal/Tethereal be capable of doing it all.