Home page logo
/

wireshark logo Wireshark mailing list archives

Re: Enhanced PCAP-NG dissection
From: Brandon Carpenter <hashstat () pnnl gov>
Date: Thu, 18 Apr 2013 13:01:39 -0700

On 04/17/2013 4:22 PM, Guy Harris wrote:
I'm not talking about saving/exporting from Wireshark (or "-r" and "-w" from

I'm talking about using *editcap*, which includes no dissectors and should not include any dissectors, to do that form 
of transformation.
Yes, sorry. I was unfamiliar with editcap (and just educated myself). I now see the problem. And I was wrong in my response anyway. My change passes the whole PCAP-NG block as if it were the packet data which is something that would cause conversions with editcap to fail miserably.

And I agree with everything else you said, too (well, mostly anyway).

So what if we allow wiretap readers the ability to pass on a list of buffers, each with a type. Then dissectors and writers can "look" through the list and use only what it is able and ignore items it doesn't understand or does not want to process. So pcapng_read() could return something like the following (using Pythonic syntax for lists and tuples):

    1. [(PCAPNG_BLOCK, (SHB, header data))]
    2. [(PCAPNG_BLOCK, (IDB, interface data))]
3. [(PCAPNG_BLOCK, (NRB, name options)), (NAME, (ip address, names, ...))] 4. [(PCAPNG_BLOCK, (EPB, packet options)), (FRAME, (wtap_pkthdr, packet data))] 5. [(PCAPNG_BLOCK, (EPB, packet options)), (FRAME, (wtap_pkthdr, packet data))]
    6. [(PCAPNG_BLOCK, (IDB, interface data))]
7. [(PCAPNG_BLOCK, (EPB, packet options)), (FRAME, (wtap_pkthdr, packet data))]
    ...

In libwireshark, the dissector would store comments from the first item, a section header block, but would not display it in the packet list. Item 2, an interface descriptor block, might append the interface data to a separate interface list and also not add anything to the packet list. Item 3, a name resolution block, would provide the name resolution, which could be added to the names list while also ignoring the packet list. With item 4, there is finally data to append to the packet list with the addition of metadata, in the form of PCAP-NG options, which can also be displayed. An expert dissector could be enabled to also show the PCAP-NG blocks in the packet listing, along with detailed dissection (a great tool for learning PCAP-NG or for exploring new block types and options). When the data is transformed to another format, as with editcap, unknown items can be ignored.

I think my head is about to explode now.  Time for lunch.

Brandon
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault