Wireshark-bugs: [Wireshark-bugs] [Bug 9464] New: Use contents of K12_REC_STK_FILE records in RF5
Date: Thu, 21 Nov 2013 01:30:39 +0000
Bug ID | 9464 |
---|---|
Summary | Use contents of K12_REC_STK_FILE records in RF5 files to specify dissectors |
Classification | Unclassified |
Product | Wireshark |
Version | SVN |
Hardware | All |
OS | All |
Status | UNCONFIRMED |
Severity | Enhancement |
Priority | Low |
Component | Capture file support (libwiretap) |
Assignee | [email protected] |
Reporter | [email protected] |
Build Information: Paste the COMPLETE build information from "Help->About Wireshark", "wireshark -v", or "tshark -v". -- Some (but not all!) RF5 files have K12_REC_STK_FILE records that include the contents of .stk files. A "stack file", as appears in a K12_REC_STK_FILE record, is a text file (with CR-LF line endings) with a sequence of lines, each of which begins with a keyword, and has white-space-separated tokens after that. They appear to be: STKVER, which is followed by a number (presumably a version number for the stack file format) STACK, which is followed by a quoted string ("ProtocolStack" in one file) and two numbers PATH, which is followed by a non-quoted string giving the pathname of the directory containing the stack file HLAYER, which is followed by a quoted string, a path for something (protocol module?), a keyword ("LOADED", in one file), and a quoted string giving a description - this is probably a protocollayer of some sort LAYER, which has a similar syntax to HLAYER - the first quoted string is a protocol name RELATION, which has a quoted string giving a protocol name, another quoted string giving a protocol name, and a condition specifier of some sort, which probably says the second protocol is layered atop the first protocol if the condition is true. The first protocol can also be "BASE", which means that the second protocol is the lowest-level protocol. The conditions are: CPLX, which may mean "complex" - it has parenthesized expressions including "&", presumably a boolean AND, with the individual tests being L:expr, where L is a letter such as "L", "D", or "P", and expr is: 0x........ for L, where each . is a hex digit or a ?, presumably meaning "don't care" 0;0{=,!=}0b........ for D, where . is presumably a bit or a ? param=value for P, where param is something such as "src_port" and value is a value, presumably to test, for example, TCP or UDP ports UNCOND, presumably meaning "always" PARAM, followed by a parameter name (as with P:) and a value, possibly followed by LAYPARAM and a hex value DECKRNL, followed by a quoted string protocol name, un-quoted "LSBF" or "MSBF" (Least/Most Significant Byte First?), and an un-quoted string ending with _DK LAYPARAM, followed by a quoted protocol name and a number (-2147221504 in one file, which is 0x80040000) SPC_CONF, folloed by a number, a quoted string with numbers separated by hyphens, and another number CIC_CONF, with a similar syntax to SPC_CONF LAYPOS, followed by a protocol name or "BASE" and 3 numbers. Most of this is probably not useful, but the RELATION lines with "BASE" could be used to figure out how to start the dissection (if we knew what "L" and "D" did), and *some* of the others might be useful if they don't match what's already in various dissector tables (the ones for IP and a higher-level protocol, for example, aren't very useful, as those are standardized, but the ones for TCP, UDP, and SCTP ports, and SCTP PPIs, might be useful).
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- Prev by Date: [Wireshark-bugs] [Bug 9445] USB: Enable DecodeBy
- Next by Date: [Wireshark-bugs] [Bug 9450] More generic Decode As interface
- Previous by thread: [Wireshark-bugs] [Bug 3127] need all match information for K12XX stack-to-protocol table
- Next by thread: [Wireshark-bugs] [Bug 9464] Use contents of K12_REC_STK_FILE records in RF5 files to specify dissectors
- Index(es):