Wireshark-bugs: [Wireshark-bugs] [Bug 8590] New: Enhanced PCAP-NG dissection

Date: Wed, 17 Apr 2013 18:03:54 +0000
Bug ID 8590
Summary Enhanced PCAP-NG dissection
Classification Unclassified
Product Wireshark
Version SVN
Hardware All
OS All
Status UNCONFIRMED
Severity Enhancement
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Created attachment 10612 [details]
Patch to enable enhanced PCAP-NG dissection (apply first)

Build Information:
The patches patch cleanly against SVN revision 48894.
--
The current processing of PCAP-NG has limitations that are addressed by the
attached patches.  First, dissection of the PCAP-NG blocks is occurring in the
wiretap library instead of the wireshark library where dissection errors are
less likely to cause problems.  Second, it is difficult to present any data
other than real packet data to the dissection engine.  Third, multiple section
header blocks are not supported.  Finally, there is no way to add additional
block types and/or options via a plug-in dissector.

pcapng-block.patch provides enhanced PCAP-NG support.  The only thing the
patched libwiretap parses is a PCAP-NG block which is passed in its entirety to
the dissection engine as the packet data with a new encapsulation type:
WTAP_ENCAP_PCAPNG_BLOCK.  A new PCAP-NG dissector replaces the Frame dissector
as the top-level dissector.  Frames that are not of the new encapsulation type
are immediately passed on to the Frame dissector while PCAP-NG data continues
through the PCAP-NG dissector and a PCAP-NG tree replaces the Frame tree at the
top level.  Packet block dissectors eventually call the Frame dissector to
continue processing as normal while non-packet blocks are displayed without a
Frame tree.

Multiple sections are supported and can be in different byte orders.  All block
metadata and options are available to explore in the dissection tree.  Unknown
block types are displayed but not completely dissected.  Dissectors for new
block types and options can be registered by compiled-in or plug-in dissectors.
 pcapng-hone.patch demonstrates a Hone (https://github.com/HoneProject)
dissector that adds two block types and several options to some standard block
types.

Write support, at this point, is rudimentary.  Only blocks for selected frames
are written to file.  Therefore, the section header block and at least one
interface description block must be selected from each section before
export/saving or an invalid PCAP-NG file will result.  Future work would
include ensuring required/dependent frames were written along with those
selected.

Please try the patches and see if you don't agree that this is an improvement
in PCAP-NG parsing.

Thank you,

Brandon Carpenter


You are receiving this mail because:
  • You are watching all bug changes.