osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

Adding the magicpoint presentation I am doing for LinuxWorld Malaysia 

svn path=/trunk/; revision=2505
This commit is contained in:
Richard Sharpe 2000-10-17 09:32:46 +00:00
parent 2030dba693
commit da5b5e67c7
1 changed files with 711 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

711
doc/ethereal-tut.mgp Normal file
View File

@ -0,0 +1,711 @@
#!/usr/bin/X11/mgp -o -g 1028x776-1026-772
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%
%% Copyright, 2000, Richard Sharpe, richard.sharpe@linuxworld.com
%%
%% This presentation is free material; you can redistribute it and/or
%% modify it under the terms of the GNU General Public License
%% as published by the Free Software Foundation; either version 2
%% of the License, or (at your option) any later version.
%%
%% This material is distributed in the hope that it will be useful,
%% but WITHOUT ANY WARRANTY; without even the implied warranty of
%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
%% GNU General Public License for more details.
%%
%% You should have received a copy of the GNU General Public License
%% along with this material; if not, write to the Free Software
%% Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
%%
%% If you make any changes or improvements, please consider contributing
%% them back to the ethereal team or the author.
%%
%deffont "standard" xfont "comic sans ms-medium-r"
%deffont "thick" xfont "arial black-medium-r"
%deffont "typewriter" xfont "courier new-bold-r"
%%
%% Default settings per each line numbers.
%%
%default 1 leftfill, size 8, fore "yellow", back "black", font "thick"
%default 1 bgrad 0 0 128 0 1 "lightblue" "cyan" "blue" "darkblue" "black"
%default 2 size 7, vgap 10, prefix " "
%default 3 size 2, bar "gray70", vgap 10
%default 4 size 5, fore "white", vgap 30, prefix " ", font "standard"
%%
%% Default settings that are applied to TAB-indented lines.
%%
%tab 1 size 4, vgap 95, prefix " ", icon box "red" 50
%tab 2 size 4, vgap 95, prefix " ", icon arc "yellow" 50
%tab 3 size 3, vgap 95, prefix " ", icon delta3 "white" 40
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault, bgrad 0 0 128 0 1 "lightblue" "cyan" "blue" "darkblue" "black"
%tfont "comic sans ms-medium-r"
%center, size 4
%image "ethereal-logo-small.png"
%size 7, font "standard"
Developing an Ethereal Dissector
%size 7, font "standard"
A tutorial on Open Source Software
%size 4, font "standard"
by Richard Sharpe
%% You may add the following here, if you like ...
%%size 4, font "standard"
%%Presented by YOUR NAME HERE
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Agenda
My involvement with Ethereal
Overview of Ethereal
Developing a dissector
The AUTH/IDENT dissector
Advanced topics
Resources
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
My involvement with Ethereal
Needed a Linux/Unix packet analysis program
Found Ethereal in late 1998
Very few application protocols at that stage
Developed a number of dissectors in 1999 and 2000
POP, TFTP, FTP, Telnet, SMB, SMTP, BXXP
Helped with various bits of infrastructure and ideas
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Overview of Ethereal
What is Ethereal
Genesis of Ethereal
Protocols it understands
Features
Platforms it runs on
Tools it uses
Uses for Ethereal
Future of Ethereal
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
What is Ethereal
Open source packet capture and analysis program
GPL'd
Based on GTK+
Uses libpcap
Developed by a world-wide team
Being used by standards groups
Supports many protocols
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%%nodefault, bgrad 0 0 128 0 1 "lightblue" "cyan" "blue" "darkblue" "black"
What is Ethereal
%%system "/root/ethereal-latest/ethereal -m 9x15 -n -r /root/captures/w95-logon-off-nt.cap" -1
%%system "xterm -fn 12x24 -e more /root/ethereal-latest/packet-bxxp.c &"
%center
%image "ethereal-shot.png"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Genesis of Ethereal
Started in 1998 by Gerald Combs
Needed a GUI-based packet analysis program
Wrote his own, using GTK+
Quickly gained a following
Guy Harris, Gilbert Ramirez, Laurent Deniel
Jun-ichiro itojun Hagino, Hannes Boehm,
Richard Sharpe, Jeff Foster, ...
Currently, Version 0.8.13?
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Protocols it understands
Any UNIX/Linux network device
IP, IPX, NetBEUI, X.25, HDLC, ...
ICMP, IGMP, TCP, UDP, OSPF, ...
Many application layer protocols
138+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Features
Read and write many capture file formats
libpcap, NetMon, snoop, NetXRay, ...
Filter packets during capture
Filter packets during display
View all packet details code handles
Follow TCP streams
Print packets, etc ...
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Platforms it runs on
Any version of UNIX with:
GTK+
libpcap
Linux, FreeBSD, ...
Windows 9X, NT, 2000
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Tools it uses
GTK+ 1.2.6+, Glib
libpcap
autogen, automake, bison, flex, GCC
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Uses for Ethereal
Learning about protocols
Network troubleshooting
Developing new implementations
Capturing passwords
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Example ... Why is RADIUS failing
%center
%image "ethereal-radius.png"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Future of Ethereal
Version 1.0 early 2001
Version 2.0 redeveloped
Apply all the lessons we have learned
Separate packet dissecting from display
Provide a library to be use separately
Use SNMP to capture from RMON packet probes
Developer documentation
Improve user documentation
Automatic generation of dissectors?
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Developing a dissector
Obtaining the source code
Other packages you need
Unpack source and prepare to build
Structure of the source code
Your dissector
Summary information vs tree view
When your dissector is called
Routines you will need to use
Using tvb versus the (packet) frame buffer
A walk through a dissector
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Obtaining the source code
Download from www.ethereal.com
Not the latest code
But it will compile
Get access to the CVS tree
Latest, possibly buggy code
May not compile
May be undergoing serious change
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Other packages you need
libpcap
GTK+ 1.2.6+
GLIB 1.2.6+
automake, autoconf
make
gcc
bison/yacc, flex/lex
Perl
Python
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Unpack your source and prepare to build
%size 4, font "typewriter"
tar zxvf ethereal-0.8.x.tar.gz
%size 4, font "typewriter"
cd ethereal-0.8.x
%size 4, font "typewriter"
./configure # may need autogen.sh
%size 4, font "typewriter"
# Fix up any problems
%size 4, font "typewriter"
make
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Structure of the source code
ethereal-0.x.y
All the dissectors, packet-xxx.c
Much of the support code
ethereal-0.x.y/gtk
Contains main.c
Contains the GUI code
ethereal-0.x.y/wiretap
Code to deal with capture file formats
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Structure, cont
ethereal-0.x.y/doc
Documentation and scripts for generating docs
ethereal-0.x.y/plugins
Plugins and support code
ethereal-0.x.y/others...
A few other directories
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Your dissector
Create packet-xxx.c in top level directory
Copy an existing dissector and modify
eg, packet-pop.c
not a good choice if you need to keep state between packets
Must have a dissect_xxx entry point
Use build-dissector.pl to build a TCP/UDP dissector
Can decode as much or as little as you want
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Summary information vs tree view
Must produce two types of information
Summary information in the top pane
Protocol tree information in the middle and lower panes
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Summary vs tree view, cont
One dissector used for both!
If called with a tree argument, must provide protocol tree info
If called without a tree argument, only need to provide summary
Your protocol may require you to decode whole packet in either case!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
When your dissector is called
Called by the protocol below you
Eg, packet-tcp.c, etc
Once, on first pass, for every packet that is yours
Mainly, summary info wanted this time around
If filter specified, full decode needed
If color filter in effect, full decode needed
Everytime user clicks on one of your packets in the summary pane
If a rescan is needed
Once, again, for every packet that is yours
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Routines you will need to use
Registration routines
Summary info display
Protocol tree display
Packet access routines (macros)
TVB routines
Utility routines
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Registration routines
Registering initialization callbacks
Create a bxxp_init_protocol routine
Registering your dissection routines
Create proto_register_xxx routine
Call dissector_add
Create proto_reg_handoff_xxx
Registering filter information
Registering preference information
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Summary info display
check_col
Checks if a column is needed
col_add_[f]str
Adds a string or a formatted string
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Protocol tree display
proto_item_add_subtree
Adds a new subtree to the protocol tree
proto_tree_add_xxx[_format]
Adds an item to the subtree for display and searching
proto_tree_add_xxx_hidden
Adds an item to the subtree for searching only
proto_item_set_len
Sets the length for an item
proto_tree_add_notext & proto_tree_set_text
Adds an item without text
Later add the text
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Packet access routines (macros)
Accessing information in the frame data
Only needed if you are not using TVB
Extracting information with correct endianness
Big endian
pntohs, pntohl
Little endian
pletohs, pletohl
Avoids unaligned access traps on RISC architectures as well
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
TVB routines
tvb_xxx
Routines to access data from the packet
tvb_length_remaining(tvb, offset)
Find out how many bytes remain in the packet
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Utility routines
format_text
Formats packet data for display in the detail pane
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Using TVB vs the frame buffer
Original dissectors accessed the packet/frame buffer
Too many coders did not check that chars were available
Many crashes due to poor code
Testy Virtializable Buffers introduced
Protect Ethereal from bad coding
However, few dissectors converted to using TVB
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
A walk through a dissector...
%%system "...more etc ..."
Walk through packet-pop.c comparing code to what Ethereal displays
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The AUTH/IDENT dissector
Overview of the AUTH/IDENT dissector
Discussion of the AUTH/IDENT dissector
Other files you need to modify
Building the dissector
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Overview of the AUTH/IDENT dissector
%center, size 4
%image "rfc1413.png"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Discussion of the AUTH/IDENT dissector
Simple dissector needed here
All dissection decisions based on packet content alone
Must check port numbers for client or server side
Small amount of code plus a couple of support routines
Some registration code required
%page
Create the dissector...
Hack away until done...
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Other files you need to modify
Makefile.am
Add your source code module to DISSECTOR_SOURCES
Rerun configure
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Building the dissector
%size 4, font "typewriter"
make: make
%size 4, font "typewriter"
test
%size 4, font "typewriter"
fix
%size 4, font "typewriter"
goto make
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Advanced topics
Preferences
Display filters
Keeping state
Conversations
Per-frame state
Missing frames
Changing the GUI
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Preferences
Allow you to manage preferences
Kept in ~/.ethereal/preferences
You provide a callback routine
proto_reg_handoff_xxx
Register your preferences in proto_register_xxx
Fields
Types
Description
They appear in the preferences panel
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Preferences, cont
%center, image "eth-prefs.png"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Preferences, the code
prefs_register_module
Registers the module and a handoff routine
prefs_register_xxx_preference
Registers a preferences field, its type, name, description, etc
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Display filters
Allow users to search the capture file for interesting items
Supported by registering field items to the protocol tree
proto_register_field_array
Field items can be displayable or hidden
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Keeping state
Sometimes you want to keep state information
You need information from past frames to make sense of the current frame
Two mechanisms that work hand in hand
Conversations
Focussed around TCP connections
Per-frame data
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Conversations
Conversations allow you to keep state information
Source & dest IP and port numbers
Search for the conversation on each frame
Create one if it does not exist
Best used on the first pass through all the packets
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Per-frame state
State can be kept:
Per-frame
Per-protocol
Best used in conjunction with conversations
Accumulate information on first pass
Add it to per-frame data as you go
Always check for per-frame data first
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Missing and or duplicate frames
Your dissector must tolerate missing frames, segments, etc
Can be missing for a variety of reasons
Did not capture enough packets/frames
Multiple paths through the internet
Your dissector must also tolerate duplicate segments
Retransmissions
Capturing on loopback under Linux
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Changing the GUI
All the GUI code is kept in ethereal-x.y.z/gtk
Mostly callbacks from GTK+ objects
Add what you need
Discuss it with the team first
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Resources
The Ethereal web site
www.ethereal.com
The Ethereal user's guide
www.ns.aus.com/ethereal/user-guide/book1.html
The GTK+ web site
www.gtk.org
Ethereal developers documentaion
README.developer in doc directory
README.tvbuff in doc directory
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Mailing lists
ethereal-dev
ethereal-announce
ethereal-users
ethereal-core
Subscribe to them from www.ethereal.com