Wireshark-dev: Re: [Wireshark-dev] Generic Plugin
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 28 May 2009 11:11:56 -0700
On May 28, 2009, at 5:53 AM, Sachin Gupta wrote:
This generic plugin is at very nascent stage compared to wsgd. The key idea behind this is simplicity. This plugin provide a very easy xml interface to define the packet structure.
I'm not sure I'd use the word "easy" and "XML" in the same sentence. :-)XML-based syntaxes strike me as more cumbersome and less natural syntaxes than, for example, the wsgd syntax, or the BinPAC syntax:
http://bro-ids.org/wiki/index.php/BinPAC or Microsoft's Network Monitor 3 syntax. If you want an XML syntax, you might want to look at the NetPDL syntax: http://www.nbee.org/doku.php?id=netpdl:index(Note also that, while doing a packet description language implementation as a plugin might be a useful way to do initial development of that implementation, it ultimately should be made a part of libwireshark.)
Such a mechanism should support registering in *arbitrary* dissector tables, not just udp.port.This plugin presently support protocol format with fixed fields, optional lengths, optional fields, array fields, filters etc. Some of the features available are - 1) A standardized XML interface to define packet format. 2) Allows new packet formats to be added without recompilation.3) Support all default type fields - uint32, uint16, uint24, uint6, bytes, bit, structs.4) Support complex fields like fields inside fields. 5) Support dynamic size fields in the message. 6) Support optional fields in the message.7) Support Type-Length-Value, Length-Value and Name-Value fields.8) Support bit fields upto 64bits. 9) Support setting filters in Wireshark messages. 10) Register with UDP port on runtime.
11) Support tlv inside tlv.Still some of the features which are lacking, and which can be further enhanced-1) Enum names for values.2) It presently support only big endian format, little endian support is trivial to add.3) It is presently workable for Linux only,
By "Linux" do you really mean "UN*X"? I.e., what makes it "Linux-only"?
can be ported for windows too. Please see below example implementation - Example 1- <?xml version="1.0" encoding="utf-8"?> <message name="ATTACH_ACCEPT" proto="EPS"> <type name="comp_field" > <field name="FD1" type="uint32"/> <field name="FD2" type="bytes" array_length="6"/> </type> <type name="comp_unord" desc="unordered" nametype="uint8"><field name="complex1" value="3" type="bytes" array_length="2"/><field name="complex2" value="13" type="uint8"/> <field name="complex3" value="37" type="uint16" /> </type> <type name="comp_field_type"> <field name="FD1" type="uint32"/> <field name="FD2" type="comp_unord"/> <field name="FD3" type="uint8" array_length="end" /> </type><type name="optional_fields" desc="unordered" nametype="uint8"> <field name="complex field1" value="5" type="bytes" array_length="6"/> <field name="complex field2" value="1" type="comp_field_type" type_length="8"/> <field name="complex field3" value="37" type="uint16" type_length="Length" /></type> <body><field name="Bit_Field1" type="bits" array_length="2"/> <field name="Bit_Field2" type="bits" array_length="3"/> <field name="Bit_Field3" type="bits" array_length="5"/><field name="Field3" type="uint8"/> <field name="Length" type="uint8"/><field name="field4" type="optional_fields" type_length="Length"/> <field name="Bit_Field2" type="bits" array_length="14"/> <field name="Bit_Field3" type="bits" array_length="16"/> <field name="Bit_Field4" type="bits" array_length="10"/><field name="length_2" type="uint8"/><field name="array_field" type="uint32" array_length="length_2"/> <field name="Correct Value" type="desc" option_field="Bit_Field2" option_value="5"/> <field name="Test Field" type="bytes" array_length="5" option_field="Bit_Field2" option_value="<20"/><field name="field2" type="bytes" array_length="5"/><field name="Complex Field" type="comp_field" array_length="end"/></body> </message> Looking for reply. thanks & regards Sachin <
- Prev by Date: Re: [Wireshark-dev] Wireshark 1.0.8 is now available
- Next by Date: Re: [Wireshark-dev] Display filter syntax check is broken in 1.2.0
- Previous by thread: Re: [Wireshark-dev] Generic Plugin
- Next by thread: [Wireshark-dev] Generic Plugin
- Index(es):