Wireshark-dev: Re: [Wireshark-dev] Expert Info and protocol validation using tshark

From: "Bryant Eastham" <beastham@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 12 Oct 2007 07:02:56 -0600
Thanks for the response. You must have caught up on your messages.
Comment inline.
Bryant Eastham schrieb:
>
> All-
>
> I have been a user of Wireshark for several years. I have been writing

> plugins for some internal protocols, but up until now have had limited

> ability to repay the wireshark community. I now have a need that may 
> both help me, and allow some payback...
>
> First, let me say that I have been impressed with the new Expert Info 
> and have been integrating many protocol validations into my plugins. 
> As we develop implementations it is extremely useful for the engineers

> to use this information as validation - saving a lot of frustration 
> during integration. Thanks Ulf!
>
:-)
>
> One potential use of both wireshark/tshark and expert info is not 
> supported, however.
>
> I would like to use a combination of tshark/expert info to "monitor" 
> our automated testing system and look for protocol violations. We 
> already have a great test harness, with the ability to switch OS, 
> network protocol, etc. automatically. What I would like to do is 
> configure some monitor ports on the 2 switches that we use, run the 
> VLAN monitors into another dedicated monitor box, and then capture all

> the traffic during our test runs. This part is normal, no need for
change.
>
> In order for this to work, however, I need to:
>
> 1. Identify which tests (programs) were running at the time (this part

> is easy, I can instrument the tests to advertise themselves on the 
> network and that will get captured (along with address and port) with 
> everything else.
>
> 2. Process the capture(s) and identify protocol violations. I don't 
> believe this is handled today.
>
I'm not sure if I got your point here.

[Bryant Eastham] I'm sorry. I should have written "Process the
capture(s) with tshark and have it output the protocol violations."

Protocol violations is one of the things that expert infos is all about.

Basically "Expert Infos" should be things that a protocol dissector 
detects to be "uncommon", "not in the specs" ... well, you get the 
point. This whole thing doesn't depend on any GUI releated stuff.
>
> I have seen some posts regarding tshark and expert infos, and I would 
> love to see this feature fleshed out. "Love" to the point that I am 
> willing to spend time to make it happen...
>
> However, I don't want to tread on other's areas of ownership or 
> reinvent the wheel, so I am asking the group for how to proceed. I 
> infer from several existing tshark features that outputting the expert

> infos might not be extremely difficult. If it turns out that I am 
> wrong, then tell me now and I will not bother. If my assumption is 
> correct then I imagine that the first step would be to get consensus 
> on how to control and present the information. I imagine that making a

> more concrete proposal on this list would be appropriate?
>
So this seems to be the more interesting question. I'm personally mostly

use Wireshark, so I'm not an expert for tshark.

Anyone with a good idea to display the expert info stuff for tshark?

Regards, ULFL
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev