Wireshark-dev: Re: [Wireshark-dev] Dissector pipelines suggestion

From: Shehjar Tikoo <shehjart@xxxxxxxxxxxxxxx>
Date: Fri, 09 Feb 2007 11:18:21 +1100
Hi all,

Shehjar Tikoo wrote:
Guy Harris wrote:
On Feb 6, 2007, at 3:56 PM, Shehjar Tikoo wrote:
Note: anonymizing packets isn't what a dissector does; a dissector dissects packets. If you want hooks to do anonymization that understands particular protocols, the way to do that would be to add hooks for anonymization, rather than trying to abuse the protocol dissection mechanism and being then forced into adding more mechanism to all ow that sort of abuse.

Yes, its true that I was trying to abuse the dissector mechanism but hooks sound like a cleaner idea.

So what sort of hooks into the *existing* dissectors do you need in order to do anonymization?

Right now I am basically diverting each RPC message into a function that calls tcp_dissect_pdus to ensure my anonymizer gets a desegmented message, so in general a per-message hook sounds like what I need.

One issue is, how to handle hooks which need desegmented messages but corresponding dissectors which can do without desegmentation. Though I can see this being resolved by executing the hook after the dissector with desegmentation pref enabled, in the case of RPC. That should ensure that the hook gets a desegmented message.

The problem with this, is that the hook will not get called each time a dissector gets called, because the dissector has requested desegmentation and needs to return(..to the caller from the transport layer..), before it can hand over the tvbuff to the hook. I am not sure if such a behaviour will be acceptable in wireshark?

Or this could be divided into a pre- and post-dissector hook and let the coder choose.


Shehjar

I haven't thought much about how these hooks will effect other layers and dissectors because I haven't looked into them much.

Thanks again
Shehjar