Wireshark-dev: Re: [Wireshark-dev] Dissector for stream data

From: Andriy Beregovenko <jet@xxxxxxxxxxx>
Date: Sat, 24 Dec 2011 15:16:02 +0200
Hi,

Also I got another problem:
If I open dump, select frame, and push 'END' I move to end of dump.
At this time all frames between first few frames and few last frames, not
decoded, so I can't correct decode last frame.
Question is: how I can walk through all frames that will be passed to
dissector if we look frames one-by-one? 

On Mon, Dec 19, 2011 at 03:42:05PM +0100, Jaap Keuter wrote:
> On 2011-12-18 14:17, Andriy Beregovenko wrote:
> 
> >Hi,
> >
> >Now i'm writing dissector for some kind of traffic. I'm already
> >got basic
> >knowledge in dissector writing, so first primitive version was
> >already done.
> >But now, when I try to complete fully featured version of
> >dissector I got
> >many trobles with routine. So I'm looking for good advice from
> >experienced
> >developers.
> >First of all, let me describe my traffic a little:
> >- most part of traffic is crypted(with rc4)+compressed(with mppc),
> >not
> >crypted is only few start frames;
> >- few start frames(or packets) have rc4 key inside itself;
> >
> >So I do next. When I dissect traffic, i looking for first frames,
> >reads rc4
> >keys from it and put it into static variable, so all other
> >frames(packets)
> >now can be correct decrypted. But I need to decompress(with MPPC),
> >and here
> >I got my troubles, cause I can decompress only 'linearly' incoming
> >data
> >(this is MPPC specific feature), so I'm stuck here. Please, point
> >me to
> >right way to implement such type of dissector.
> >-- Best regards, Andriy 0xBDDBDAE3
> 
> Hi,
> 
> Two things to be aware of:
> 1. Using statics to store dissection related data (key material in
> your case)
>    is bad style. Why? Image what happens when there are two streams
> in your
>    capture. Which key are you going to store?
> 
> 2. You have to be aware that Wireshark accesses frames in random
> order all
>    all the time. Only the first pass is sequential.
> 
> Because of 1. there is the notion of 'conversations'. Per
> conversation you
> can store protocol related data (your key). Every time you are asked to
> dissect a packet (remember, this can be in random order!), you have
> access to
> this stored data, in your conversation data.
> 
> Because of 2. you can setup your conversation data (your key) on the
> first
> pass (see PINFO_FD_VISITED macro) and use it later on.
> 
> Read through doc/README.developer for these subjects.
> 
> Thanks,
> Jaap
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

-- 
Best regards,
Andriy
0xBDDBDAE3

Attachment: signature.asc
Description: Digital signature