forked from osmocom/wireshark
da5b5e67c7
svn path=/trunk/; revision=2505
712 lines
16 KiB
Text
712 lines
16 KiB
Text
#!/usr/bin/X11/mgp -o -g 1028x776-1026-772
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%
|
|
%% Copyright, 2000, Richard Sharpe, richard.sharpe@linuxworld.com
|
|
%%
|
|
%% This presentation is free material; you can redistribute it and/or
|
|
%% modify it under the terms of the GNU General Public License
|
|
%% as published by the Free Software Foundation; either version 2
|
|
%% of the License, or (at your option) any later version.
|
|
%%
|
|
%% This material is distributed in the hope that it will be useful,
|
|
%% but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
%% GNU General Public License for more details.
|
|
%%
|
|
%% You should have received a copy of the GNU General Public License
|
|
%% along with this material; if not, write to the Free Software
|
|
%% Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
%%
|
|
%% If you make any changes or improvements, please consider contributing
|
|
%% them back to the ethereal team or the author.
|
|
%%
|
|
%deffont "standard" xfont "comic sans ms-medium-r"
|
|
%deffont "thick" xfont "arial black-medium-r"
|
|
%deffont "typewriter" xfont "courier new-bold-r"
|
|
%%
|
|
%% Default settings per each line numbers.
|
|
%%
|
|
%default 1 leftfill, size 8, fore "yellow", back "black", font "thick"
|
|
%default 1 bgrad 0 0 128 0 1 "lightblue" "cyan" "blue" "darkblue" "black"
|
|
%default 2 size 7, vgap 10, prefix " "
|
|
%default 3 size 2, bar "gray70", vgap 10
|
|
%default 4 size 5, fore "white", vgap 30, prefix " ", font "standard"
|
|
%%
|
|
%% Default settings that are applied to TAB-indented lines.
|
|
%%
|
|
%tab 1 size 4, vgap 95, prefix " ", icon box "red" 50
|
|
%tab 2 size 4, vgap 95, prefix " ", icon arc "yellow" 50
|
|
%tab 3 size 3, vgap 95, prefix " ", icon delta3 "white" 40
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
%nodefault, bgrad 0 0 128 0 1 "lightblue" "cyan" "blue" "darkblue" "black"
|
|
%tfont "comic sans ms-medium-r"
|
|
|
|
|
|
%center, size 4
|
|
%image "ethereal-logo-small.png"
|
|
|
|
%size 7, font "standard"
|
|
Developing an Ethereal Dissector
|
|
|
|
%size 7, font "standard"
|
|
A tutorial on Open Source Software
|
|
|
|
%size 4, font "standard"
|
|
by Richard Sharpe
|
|
|
|
%% You may add the following here, if you like ...
|
|
%%size 4, font "standard"
|
|
%%Presented by YOUR NAME HERE
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Agenda
|
|
|
|
|
|
My involvement with Ethereal
|
|
Overview of Ethereal
|
|
Developing a dissector
|
|
The AUTH/IDENT dissector
|
|
Advanced topics
|
|
Resources
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
My involvement with Ethereal
|
|
|
|
|
|
Needed a Linux/Unix packet analysis program
|
|
Found Ethereal in late 1998
|
|
Very few application protocols at that stage
|
|
Developed a number of dissectors in 1999 and 2000
|
|
POP, TFTP, FTP, Telnet, SMB, SMTP, BXXP
|
|
Helped with various bits of infrastructure and ideas
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Overview of Ethereal
|
|
|
|
|
|
What is Ethereal
|
|
Genesis of Ethereal
|
|
Protocols it understands
|
|
Features
|
|
Platforms it runs on
|
|
Tools it uses
|
|
Uses for Ethereal
|
|
Future of Ethereal
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
What is Ethereal
|
|
|
|
|
|
Open source packet capture and analysis program
|
|
GPL'd
|
|
Based on GTK+
|
|
Uses libpcap
|
|
Developed by a world-wide team
|
|
Being used by standards groups
|
|
Supports many protocols
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
%%nodefault, bgrad 0 0 128 0 1 "lightblue" "cyan" "blue" "darkblue" "black"
|
|
|
|
What is Ethereal
|
|
%%system "/root/ethereal-latest/ethereal -m 9x15 -n -r /root/captures/w95-logon-off-nt.cap" -1
|
|
%%system "xterm -fn 12x24 -e more /root/ethereal-latest/packet-bxxp.c &"
|
|
|
|
%center
|
|
%image "ethereal-shot.png"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Genesis of Ethereal
|
|
|
|
|
|
Started in 1998 by Gerald Combs
|
|
Needed a GUI-based packet analysis program
|
|
Wrote his own, using GTK+
|
|
Quickly gained a following
|
|
Guy Harris, Gilbert Ramirez, Laurent Deniel
|
|
Jun-ichiro itojun Hagino, Hannes Boehm,
|
|
Richard Sharpe, Jeff Foster, ...
|
|
Currently, Version 0.8.13?
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Protocols it understands
|
|
|
|
|
|
Any UNIX/Linux network device
|
|
IP, IPX, NetBEUI, X.25, HDLC, ...
|
|
ICMP, IGMP, TCP, UDP, OSPF, ...
|
|
Many application layer protocols
|
|
138+
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Features
|
|
|
|
|
|
Read and write many capture file formats
|
|
libpcap, NetMon, snoop, NetXRay, ...
|
|
Filter packets during capture
|
|
Filter packets during display
|
|
View all packet details code handles
|
|
Follow TCP streams
|
|
Print packets, etc ...
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Platforms it runs on
|
|
|
|
|
|
Any version of UNIX with:
|
|
GTK+
|
|
libpcap
|
|
Linux, FreeBSD, ...
|
|
Windows 9X, NT, 2000
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Tools it uses
|
|
|
|
|
|
GTK+ 1.2.6+, Glib
|
|
libpcap
|
|
autogen, automake, bison, flex, GCC
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Uses for Ethereal
|
|
|
|
|
|
Learning about protocols
|
|
Network troubleshooting
|
|
Developing new implementations
|
|
Capturing passwords
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Example ... Why is RADIUS failing
|
|
|
|
%center
|
|
%image "ethereal-radius.png"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Future of Ethereal
|
|
|
|
|
|
Version 1.0 early 2001
|
|
Version 2.0 redeveloped
|
|
Apply all the lessons we have learned
|
|
Separate packet dissecting from display
|
|
Provide a library to be use separately
|
|
Use SNMP to capture from RMON packet probes
|
|
Developer documentation
|
|
Improve user documentation
|
|
Automatic generation of dissectors?
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Developing a dissector
|
|
|
|
|
|
Obtaining the source code
|
|
Other packages you need
|
|
Unpack source and prepare to build
|
|
Structure of the source code
|
|
Your dissector
|
|
Summary information vs tree view
|
|
When your dissector is called
|
|
Routines you will need to use
|
|
Using tvb versus the (packet) frame buffer
|
|
A walk through a dissector
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Obtaining the source code
|
|
|
|
|
|
Download from www.ethereal.com
|
|
Not the latest code
|
|
But it will compile
|
|
Get access to the CVS tree
|
|
Latest, possibly buggy code
|
|
May not compile
|
|
May be undergoing serious change
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Other packages you need
|
|
|
|
|
|
libpcap
|
|
GTK+ 1.2.6+
|
|
GLIB 1.2.6+
|
|
automake, autoconf
|
|
make
|
|
gcc
|
|
bison/yacc, flex/lex
|
|
Perl
|
|
Python
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Unpack your source and prepare to build
|
|
|
|
|
|
%size 4, font "typewriter"
|
|
tar zxvf ethereal-0.8.x.tar.gz
|
|
|
|
%size 4, font "typewriter"
|
|
cd ethereal-0.8.x
|
|
|
|
%size 4, font "typewriter"
|
|
./configure # may need autogen.sh
|
|
|
|
%size 4, font "typewriter"
|
|
# Fix up any problems
|
|
|
|
%size 4, font "typewriter"
|
|
make
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Structure of the source code
|
|
|
|
|
|
ethereal-0.x.y
|
|
All the dissectors, packet-xxx.c
|
|
Much of the support code
|
|
ethereal-0.x.y/gtk
|
|
Contains main.c
|
|
Contains the GUI code
|
|
ethereal-0.x.y/wiretap
|
|
Code to deal with capture file formats
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Structure, cont
|
|
|
|
|
|
ethereal-0.x.y/doc
|
|
Documentation and scripts for generating docs
|
|
ethereal-0.x.y/plugins
|
|
Plugins and support code
|
|
ethereal-0.x.y/others...
|
|
A few other directories
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Your dissector
|
|
|
|
|
|
Create packet-xxx.c in top level directory
|
|
Copy an existing dissector and modify
|
|
eg, packet-pop.c
|
|
not a good choice if you need to keep state between packets
|
|
Must have a dissect_xxx entry point
|
|
Use build-dissector.pl to build a TCP/UDP dissector
|
|
Can decode as much or as little as you want
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Summary information vs tree view
|
|
|
|
|
|
Must produce two types of information
|
|
Summary information in the top pane
|
|
Protocol tree information in the middle and lower panes
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Summary vs tree view, cont
|
|
|
|
|
|
One dissector used for both!
|
|
If called with a tree argument, must provide protocol tree info
|
|
If called without a tree argument, only need to provide summary
|
|
Your protocol may require you to decode whole packet in either case!
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
When your dissector is called
|
|
|
|
|
|
Called by the protocol below you
|
|
Eg, packet-tcp.c, etc
|
|
Once, on first pass, for every packet that is yours
|
|
Mainly, summary info wanted this time around
|
|
If filter specified, full decode needed
|
|
If color filter in effect, full decode needed
|
|
Everytime user clicks on one of your packets in the summary pane
|
|
If a rescan is needed
|
|
Once, again, for every packet that is yours
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Routines you will need to use
|
|
|
|
|
|
Registration routines
|
|
Summary info display
|
|
Protocol tree display
|
|
Packet access routines (macros)
|
|
TVB routines
|
|
Utility routines
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Registration routines
|
|
|
|
|
|
Registering initialization callbacks
|
|
Create a bxxp_init_protocol routine
|
|
Registering your dissection routines
|
|
Create proto_register_xxx routine
|
|
Call dissector_add
|
|
Create proto_reg_handoff_xxx
|
|
Registering filter information
|
|
Registering preference information
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Summary info display
|
|
|
|
|
|
check_col
|
|
Checks if a column is needed
|
|
col_add_[f]str
|
|
Adds a string or a formatted string
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Protocol tree display
|
|
|
|
|
|
proto_item_add_subtree
|
|
Adds a new subtree to the protocol tree
|
|
proto_tree_add_xxx[_format]
|
|
Adds an item to the subtree for display and searching
|
|
proto_tree_add_xxx_hidden
|
|
Adds an item to the subtree for searching only
|
|
proto_item_set_len
|
|
Sets the length for an item
|
|
proto_tree_add_notext & proto_tree_set_text
|
|
Adds an item without text
|
|
Later add the text
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Packet access routines (macros)
|
|
|
|
|
|
Accessing information in the frame data
|
|
Only needed if you are not using TVB
|
|
Extracting information with correct endianness
|
|
Big endian
|
|
pntohs, pntohl
|
|
Little endian
|
|
pletohs, pletohl
|
|
Avoids unaligned access traps on RISC architectures as well
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
TVB routines
|
|
|
|
|
|
tvb_xxx
|
|
Routines to access data from the packet
|
|
tvb_length_remaining(tvb, offset)
|
|
Find out how many bytes remain in the packet
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Utility routines
|
|
|
|
|
|
format_text
|
|
Formats packet data for display in the detail pane
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Using TVB vs the frame buffer
|
|
|
|
|
|
Original dissectors accessed the packet/frame buffer
|
|
Too many coders did not check that chars were available
|
|
Many crashes due to poor code
|
|
Testy Virtializable Buffers introduced
|
|
Protect Ethereal from bad coding
|
|
However, few dissectors converted to using TVB
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
A walk through a dissector...
|
|
|
|
|
|
%%system "...more etc ..."
|
|
Walk through packet-pop.c comparing code to what Ethereal displays
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
The AUTH/IDENT dissector
|
|
|
|
|
|
Overview of the AUTH/IDENT dissector
|
|
Discussion of the AUTH/IDENT dissector
|
|
Other files you need to modify
|
|
Building the dissector
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Overview of the AUTH/IDENT dissector
|
|
|
|
|
|
%center, size 4
|
|
%image "rfc1413.png"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Discussion of the AUTH/IDENT dissector
|
|
|
|
|
|
Simple dissector needed here
|
|
All dissection decisions based on packet content alone
|
|
Must check port numbers for client or server side
|
|
Small amount of code plus a couple of support routines
|
|
Some registration code required
|
|
|
|
%page
|
|
|
|
Create the dissector...
|
|
|
|
|
|
Hack away until done...
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Other files you need to modify
|
|
|
|
|
|
Makefile.am
|
|
Add your source code module to DISSECTOR_SOURCES
|
|
Rerun configure
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Building the dissector
|
|
|
|
|
|
%size 4, font "typewriter"
|
|
make: make
|
|
|
|
%size 4, font "typewriter"
|
|
test
|
|
|
|
%size 4, font "typewriter"
|
|
fix
|
|
|
|
%size 4, font "typewriter"
|
|
goto make
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Advanced topics
|
|
|
|
|
|
Preferences
|
|
Display filters
|
|
Keeping state
|
|
Conversations
|
|
Per-frame state
|
|
Missing frames
|
|
Changing the GUI
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Preferences
|
|
|
|
|
|
Allow you to manage preferences
|
|
Kept in ~/.ethereal/preferences
|
|
You provide a callback routine
|
|
proto_reg_handoff_xxx
|
|
Register your preferences in proto_register_xxx
|
|
Fields
|
|
Types
|
|
Description
|
|
They appear in the preferences panel
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Preferences, cont
|
|
|
|
|
|
%center, image "eth-prefs.png"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Preferences, the code
|
|
|
|
|
|
prefs_register_module
|
|
Registers the module and a handoff routine
|
|
prefs_register_xxx_preference
|
|
Registers a preferences field, its type, name, description, etc
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Display filters
|
|
|
|
|
|
Allow users to search the capture file for interesting items
|
|
Supported by registering field items to the protocol tree
|
|
proto_register_field_array
|
|
Field items can be displayable or hidden
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Keeping state
|
|
|
|
|
|
Sometimes you want to keep state information
|
|
You need information from past frames to make sense of the current frame
|
|
Two mechanisms that work hand in hand
|
|
Conversations
|
|
Focussed around TCP connections
|
|
Per-frame data
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Conversations
|
|
|
|
|
|
Conversations allow you to keep state information
|
|
Source & dest IP and port numbers
|
|
Search for the conversation on each frame
|
|
Create one if it does not exist
|
|
Best used on the first pass through all the packets
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Per-frame state
|
|
|
|
|
|
State can be kept:
|
|
Per-frame
|
|
Per-protocol
|
|
Best used in conjunction with conversations
|
|
Accumulate information on first pass
|
|
Add it to per-frame data as you go
|
|
Always check for per-frame data first
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Missing and or duplicate frames
|
|
|
|
|
|
Your dissector must tolerate missing frames, segments, etc
|
|
Can be missing for a variety of reasons
|
|
Did not capture enough packets/frames
|
|
Multiple paths through the internet
|
|
Your dissector must also tolerate duplicate segments
|
|
Retransmissions
|
|
Capturing on loopback under Linux
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Changing the GUI
|
|
|
|
|
|
All the GUI code is kept in ethereal-x.y.z/gtk
|
|
Mostly callbacks from GTK+ objects
|
|
Add what you need
|
|
Discuss it with the team first
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Resources
|
|
|
|
|
|
The Ethereal web site
|
|
www.ethereal.com
|
|
|
|
The Ethereal user's guide
|
|
www.ns.aus.com/ethereal/user-guide/book1.html
|
|
|
|
The GTK+ web site
|
|
www.gtk.org
|
|
|
|
Ethereal developers documentaion
|
|
README.developer in doc directory
|
|
README.tvbuff in doc directory
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
|
|
Mailing lists
|
|
|
|
|
|
ethereal-dev
|
|
ethereal-announce
|
|
ethereal-users
|
|
ethereal-core
|
|
Subscribe to them from www.ethereal.com
|