712 lines
16 KiB
Text
712 lines
16 KiB
Text
|
#!/usr/bin/X11/mgp -o -g 1028x776-1026-772
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%%
|
||
|
%% Copyright, 2000, Richard Sharpe, richard.sharpe@linuxworld.com
|
||
|
%%
|
||
|
%% This presentation is free material; you can redistribute it and/or
|
||
|
%% modify it under the terms of the GNU General Public License
|
||
|
%% as published by the Free Software Foundation; either version 2
|
||
|
%% of the License, or (at your option) any later version.
|
||
|
%%
|
||
|
%% This material is distributed in the hope that it will be useful,
|
||
|
%% but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
%% GNU General Public License for more details.
|
||
|
%%
|
||
|
%% You should have received a copy of the GNU General Public License
|
||
|
%% along with this material; if not, write to the Free Software
|
||
|
%% Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
||
|
%%
|
||
|
%% If you make any changes or improvements, please consider contributing
|
||
|
%% them back to the ethereal team or the author.
|
||
|
%%
|
||
|
%deffont "standard" xfont "comic sans ms-medium-r"
|
||
|
%deffont "thick" xfont "arial black-medium-r"
|
||
|
%deffont "typewriter" xfont "courier new-bold-r"
|
||
|
%%
|
||
|
%% Default settings per each line numbers.
|
||
|
%%
|
||
|
%default 1 leftfill, size 8, fore "yellow", back "black", font "thick"
|
||
|
%default 1 bgrad 0 0 128 0 1 "lightblue" "cyan" "blue" "darkblue" "black"
|
||
|
%default 2 size 7, vgap 10, prefix " "
|
||
|
%default 3 size 2, bar "gray70", vgap 10
|
||
|
%default 4 size 5, fore "white", vgap 30, prefix " ", font "standard"
|
||
|
%%
|
||
|
%% Default settings that are applied to TAB-indented lines.
|
||
|
%%
|
||
|
%tab 1 size 4, vgap 95, prefix " ", icon box "red" 50
|
||
|
%tab 2 size 4, vgap 95, prefix " ", icon arc "yellow" 50
|
||
|
%tab 3 size 3, vgap 95, prefix " ", icon delta3 "white" 40
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
%nodefault, bgrad 0 0 128 0 1 "lightblue" "cyan" "blue" "darkblue" "black"
|
||
|
%tfont "comic sans ms-medium-r"
|
||
|
|
||
|
|
||
|
%center, size 4
|
||
|
%image "ethereal-logo-small.png"
|
||
|
|
||
|
%size 7, font "standard"
|
||
|
Developing an Ethereal Dissector
|
||
|
|
||
|
%size 7, font "standard"
|
||
|
A tutorial on Open Source Software
|
||
|
|
||
|
%size 4, font "standard"
|
||
|
by Richard Sharpe
|
||
|
|
||
|
%% You may add the following here, if you like ...
|
||
|
%%size 4, font "standard"
|
||
|
%%Presented by YOUR NAME HERE
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Agenda
|
||
|
|
||
|
|
||
|
My involvement with Ethereal
|
||
|
Overview of Ethereal
|
||
|
Developing a dissector
|
||
|
The AUTH/IDENT dissector
|
||
|
Advanced topics
|
||
|
Resources
|
||
|
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
My involvement with Ethereal
|
||
|
|
||
|
|
||
|
Needed a Linux/Unix packet analysis program
|
||
|
Found Ethereal in late 1998
|
||
|
Very few application protocols at that stage
|
||
|
Developed a number of dissectors in 1999 and 2000
|
||
|
POP, TFTP, FTP, Telnet, SMB, SMTP, BXXP
|
||
|
Helped with various bits of infrastructure and ideas
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Overview of Ethereal
|
||
|
|
||
|
|
||
|
What is Ethereal
|
||
|
Genesis of Ethereal
|
||
|
Protocols it understands
|
||
|
Features
|
||
|
Platforms it runs on
|
||
|
Tools it uses
|
||
|
Uses for Ethereal
|
||
|
Future of Ethereal
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
What is Ethereal
|
||
|
|
||
|
|
||
|
Open source packet capture and analysis program
|
||
|
GPL'd
|
||
|
Based on GTK+
|
||
|
Uses libpcap
|
||
|
Developed by a world-wide team
|
||
|
Being used by standards groups
|
||
|
Supports many protocols
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
%%nodefault, bgrad 0 0 128 0 1 "lightblue" "cyan" "blue" "darkblue" "black"
|
||
|
|
||
|
What is Ethereal
|
||
|
%%system "/root/ethereal-latest/ethereal -m 9x15 -n -r /root/captures/w95-logon-off-nt.cap" -1
|
||
|
%%system "xterm -fn 12x24 -e more /root/ethereal-latest/packet-bxxp.c &"
|
||
|
|
||
|
%center
|
||
|
%image "ethereal-shot.png"
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Genesis of Ethereal
|
||
|
|
||
|
|
||
|
Started in 1998 by Gerald Combs
|
||
|
Needed a GUI-based packet analysis program
|
||
|
Wrote his own, using GTK+
|
||
|
Quickly gained a following
|
||
|
Guy Harris, Gilbert Ramirez, Laurent Deniel
|
||
|
Jun-ichiro itojun Hagino, Hannes Boehm,
|
||
|
Richard Sharpe, Jeff Foster, ...
|
||
|
Currently, Version 0.8.13?
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Protocols it understands
|
||
|
|
||
|
|
||
|
Any UNIX/Linux network device
|
||
|
IP, IPX, NetBEUI, X.25, HDLC, ...
|
||
|
ICMP, IGMP, TCP, UDP, OSPF, ...
|
||
|
Many application layer protocols
|
||
|
138+
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Features
|
||
|
|
||
|
|
||
|
Read and write many capture file formats
|
||
|
libpcap, NetMon, snoop, NetXRay, ...
|
||
|
Filter packets during capture
|
||
|
Filter packets during display
|
||
|
View all packet details code handles
|
||
|
Follow TCP streams
|
||
|
Print packets, etc ...
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Platforms it runs on
|
||
|
|
||
|
|
||
|
Any version of UNIX with:
|
||
|
GTK+
|
||
|
libpcap
|
||
|
Linux, FreeBSD, ...
|
||
|
Windows 9X, NT, 2000
|
||
|
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Tools it uses
|
||
|
|
||
|
|
||
|
GTK+ 1.2.6+, Glib
|
||
|
libpcap
|
||
|
autogen, automake, bison, flex, GCC
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Uses for Ethereal
|
||
|
|
||
|
|
||
|
Learning about protocols
|
||
|
Network troubleshooting
|
||
|
Developing new implementations
|
||
|
Capturing passwords
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Example ... Why is RADIUS failing
|
||
|
|
||
|
%center
|
||
|
%image "ethereal-radius.png"
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Future of Ethereal
|
||
|
|
||
|
|
||
|
Version 1.0 early 2001
|
||
|
Version 2.0 redeveloped
|
||
|
Apply all the lessons we have learned
|
||
|
Separate packet dissecting from display
|
||
|
Provide a library to be use separately
|
||
|
Use SNMP to capture from RMON packet probes
|
||
|
Developer documentation
|
||
|
Improve user documentation
|
||
|
Automatic generation of dissectors?
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Developing a dissector
|
||
|
|
||
|
|
||
|
Obtaining the source code
|
||
|
Other packages you need
|
||
|
Unpack source and prepare to build
|
||
|
Structure of the source code
|
||
|
Your dissector
|
||
|
Summary information vs tree view
|
||
|
When your dissector is called
|
||
|
Routines you will need to use
|
||
|
Using tvb versus the (packet) frame buffer
|
||
|
A walk through a dissector
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Obtaining the source code
|
||
|
|
||
|
|
||
|
Download from www.ethereal.com
|
||
|
Not the latest code
|
||
|
But it will compile
|
||
|
Get access to the CVS tree
|
||
|
Latest, possibly buggy code
|
||
|
May not compile
|
||
|
May be undergoing serious change
|
||
|
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Other packages you need
|
||
|
|
||
|
|
||
|
libpcap
|
||
|
GTK+ 1.2.6+
|
||
|
GLIB 1.2.6+
|
||
|
automake, autoconf
|
||
|
make
|
||
|
gcc
|
||
|
bison/yacc, flex/lex
|
||
|
Perl
|
||
|
Python
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Unpack your source and prepare to build
|
||
|
|
||
|
|
||
|
%size 4, font "typewriter"
|
||
|
tar zxvf ethereal-0.8.x.tar.gz
|
||
|
|
||
|
%size 4, font "typewriter"
|
||
|
cd ethereal-0.8.x
|
||
|
|
||
|
%size 4, font "typewriter"
|
||
|
./configure # may need autogen.sh
|
||
|
|
||
|
%size 4, font "typewriter"
|
||
|
# Fix up any problems
|
||
|
|
||
|
%size 4, font "typewriter"
|
||
|
make
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Structure of the source code
|
||
|
|
||
|
|
||
|
ethereal-0.x.y
|
||
|
All the dissectors, packet-xxx.c
|
||
|
Much of the support code
|
||
|
ethereal-0.x.y/gtk
|
||
|
Contains main.c
|
||
|
Contains the GUI code
|
||
|
ethereal-0.x.y/wiretap
|
||
|
Code to deal with capture file formats
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Structure, cont
|
||
|
|
||
|
|
||
|
ethereal-0.x.y/doc
|
||
|
Documentation and scripts for generating docs
|
||
|
ethereal-0.x.y/plugins
|
||
|
Plugins and support code
|
||
|
ethereal-0.x.y/others...
|
||
|
A few other directories
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Your dissector
|
||
|
|
||
|
|
||
|
Create packet-xxx.c in top level directory
|
||
|
Copy an existing dissector and modify
|
||
|
eg, packet-pop.c
|
||
|
not a good choice if you need to keep state between packets
|
||
|
Must have a dissect_xxx entry point
|
||
|
Use build-dissector.pl to build a TCP/UDP dissector
|
||
|
Can decode as much or as little as you want
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Summary information vs tree view
|
||
|
|
||
|
|
||
|
Must produce two types of information
|
||
|
Summary information in the top pane
|
||
|
Protocol tree information in the middle and lower panes
|
||
|
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Summary vs tree view, cont
|
||
|
|
||
|
|
||
|
One dissector used for both!
|
||
|
If called with a tree argument, must provide protocol tree info
|
||
|
If called without a tree argument, only need to provide summary
|
||
|
Your protocol may require you to decode whole packet in either case!
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
When your dissector is called
|
||
|
|
||
|
|
||
|
Called by the protocol below you
|
||
|
Eg, packet-tcp.c, etc
|
||
|
Once, on first pass, for every packet that is yours
|
||
|
Mainly, summary info wanted this time around
|
||
|
If filter specified, full decode needed
|
||
|
If color filter in effect, full decode needed
|
||
|
Everytime user clicks on one of your packets in the summary pane
|
||
|
If a rescan is needed
|
||
|
Once, again, for every packet that is yours
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Routines you will need to use
|
||
|
|
||
|
|
||
|
Registration routines
|
||
|
Summary info display
|
||
|
Protocol tree display
|
||
|
Packet access routines (macros)
|
||
|
TVB routines
|
||
|
Utility routines
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Registration routines
|
||
|
|
||
|
|
||
|
Registering initialization callbacks
|
||
|
Create a bxxp_init_protocol routine
|
||
|
Registering your dissection routines
|
||
|
Create proto_register_xxx routine
|
||
|
Call dissector_add
|
||
|
Create proto_reg_handoff_xxx
|
||
|
Registering filter information
|
||
|
Registering preference information
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Summary info display
|
||
|
|
||
|
|
||
|
check_col
|
||
|
Checks if a column is needed
|
||
|
col_add_[f]str
|
||
|
Adds a string or a formatted string
|
||
|
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Protocol tree display
|
||
|
|
||
|
|
||
|
proto_item_add_subtree
|
||
|
Adds a new subtree to the protocol tree
|
||
|
proto_tree_add_xxx[_format]
|
||
|
Adds an item to the subtree for display and searching
|
||
|
proto_tree_add_xxx_hidden
|
||
|
Adds an item to the subtree for searching only
|
||
|
proto_item_set_len
|
||
|
Sets the length for an item
|
||
|
proto_tree_add_notext & proto_tree_set_text
|
||
|
Adds an item without text
|
||
|
Later add the text
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Packet access routines (macros)
|
||
|
|
||
|
|
||
|
Accessing information in the frame data
|
||
|
Only needed if you are not using TVB
|
||
|
Extracting information with correct endianness
|
||
|
Big endian
|
||
|
pntohs, pntohl
|
||
|
Little endian
|
||
|
pletohs, pletohl
|
||
|
Avoids unaligned access traps on RISC architectures as well
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
TVB routines
|
||
|
|
||
|
|
||
|
tvb_xxx
|
||
|
Routines to access data from the packet
|
||
|
tvb_length_remaining(tvb, offset)
|
||
|
Find out how many bytes remain in the packet
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Utility routines
|
||
|
|
||
|
|
||
|
format_text
|
||
|
Formats packet data for display in the detail pane
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Using TVB vs the frame buffer
|
||
|
|
||
|
|
||
|
Original dissectors accessed the packet/frame buffer
|
||
|
Too many coders did not check that chars were available
|
||
|
Many crashes due to poor code
|
||
|
Testy Virtializable Buffers introduced
|
||
|
Protect Ethereal from bad coding
|
||
|
However, few dissectors converted to using TVB
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
A walk through a dissector...
|
||
|
|
||
|
|
||
|
%%system "...more etc ..."
|
||
|
Walk through packet-pop.c comparing code to what Ethereal displays
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
The AUTH/IDENT dissector
|
||
|
|
||
|
|
||
|
Overview of the AUTH/IDENT dissector
|
||
|
Discussion of the AUTH/IDENT dissector
|
||
|
Other files you need to modify
|
||
|
Building the dissector
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Overview of the AUTH/IDENT dissector
|
||
|
|
||
|
|
||
|
%center, size 4
|
||
|
%image "rfc1413.png"
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Discussion of the AUTH/IDENT dissector
|
||
|
|
||
|
|
||
|
Simple dissector needed here
|
||
|
All dissection decisions based on packet content alone
|
||
|
Must check port numbers for client or server side
|
||
|
Small amount of code plus a couple of support routines
|
||
|
Some registration code required
|
||
|
|
||
|
%page
|
||
|
|
||
|
Create the dissector...
|
||
|
|
||
|
|
||
|
Hack away until done...
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Other files you need to modify
|
||
|
|
||
|
|
||
|
Makefile.am
|
||
|
Add your source code module to DISSECTOR_SOURCES
|
||
|
Rerun configure
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Building the dissector
|
||
|
|
||
|
|
||
|
%size 4, font "typewriter"
|
||
|
make: make
|
||
|
|
||
|
%size 4, font "typewriter"
|
||
|
test
|
||
|
|
||
|
%size 4, font "typewriter"
|
||
|
fix
|
||
|
|
||
|
%size 4, font "typewriter"
|
||
|
goto make
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Advanced topics
|
||
|
|
||
|
|
||
|
Preferences
|
||
|
Display filters
|
||
|
Keeping state
|
||
|
Conversations
|
||
|
Per-frame state
|
||
|
Missing frames
|
||
|
Changing the GUI
|
||
|
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Preferences
|
||
|
|
||
|
|
||
|
Allow you to manage preferences
|
||
|
Kept in ~/.ethereal/preferences
|
||
|
You provide a callback routine
|
||
|
proto_reg_handoff_xxx
|
||
|
Register your preferences in proto_register_xxx
|
||
|
Fields
|
||
|
Types
|
||
|
Description
|
||
|
They appear in the preferences panel
|
||
|
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Preferences, cont
|
||
|
|
||
|
|
||
|
%center, image "eth-prefs.png"
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Preferences, the code
|
||
|
|
||
|
|
||
|
prefs_register_module
|
||
|
Registers the module and a handoff routine
|
||
|
prefs_register_xxx_preference
|
||
|
Registers a preferences field, its type, name, description, etc
|
||
|
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Display filters
|
||
|
|
||
|
|
||
|
Allow users to search the capture file for interesting items
|
||
|
Supported by registering field items to the protocol tree
|
||
|
proto_register_field_array
|
||
|
Field items can be displayable or hidden
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Keeping state
|
||
|
|
||
|
|
||
|
Sometimes you want to keep state information
|
||
|
You need information from past frames to make sense of the current frame
|
||
|
Two mechanisms that work hand in hand
|
||
|
Conversations
|
||
|
Focussed around TCP connections
|
||
|
Per-frame data
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Conversations
|
||
|
|
||
|
|
||
|
Conversations allow you to keep state information
|
||
|
Source & dest IP and port numbers
|
||
|
Search for the conversation on each frame
|
||
|
Create one if it does not exist
|
||
|
Best used on the first pass through all the packets
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Per-frame state
|
||
|
|
||
|
|
||
|
State can be kept:
|
||
|
Per-frame
|
||
|
Per-protocol
|
||
|
Best used in conjunction with conversations
|
||
|
Accumulate information on first pass
|
||
|
Add it to per-frame data as you go
|
||
|
Always check for per-frame data first
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Missing and or duplicate frames
|
||
|
|
||
|
|
||
|
Your dissector must tolerate missing frames, segments, etc
|
||
|
Can be missing for a variety of reasons
|
||
|
Did not capture enough packets/frames
|
||
|
Multiple paths through the internet
|
||
|
Your dissector must also tolerate duplicate segments
|
||
|
Retransmissions
|
||
|
Capturing on loopback under Linux
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Changing the GUI
|
||
|
|
||
|
|
||
|
All the GUI code is kept in ethereal-x.y.z/gtk
|
||
|
Mostly callbacks from GTK+ objects
|
||
|
Add what you need
|
||
|
Discuss it with the team first
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Resources
|
||
|
|
||
|
|
||
|
The Ethereal web site
|
||
|
www.ethereal.com
|
||
|
|
||
|
The Ethereal user's guide
|
||
|
www.ns.aus.com/ethereal/user-guide/book1.html
|
||
|
|
||
|
The GTK+ web site
|
||
|
www.gtk.org
|
||
|
|
||
|
Ethereal developers documentaion
|
||
|
README.developer in doc directory
|
||
|
README.tvbuff in doc directory
|
||
|
|
||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||
|
%page
|
||
|
|
||
|
Mailing lists
|
||
|
|
||
|
|
||
|
ethereal-dev
|
||
|
ethereal-announce
|
||
|
ethereal-users
|
||
|
ethereal-core
|
||
|
Subscribe to them from www.ethereal.com
|