Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] What is the best way to create a statefuldissector?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Kenny Ho <kho@xxxxxxxx>
Date: Wed, 23 Nov 2011 09:16:05 -0500
Awesome!  Thanks for all the information and advice.

Kenny

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Bill Meier
Sent: November-22-11 7:19 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] What is the best way to create a statefuldissector?

On 11/22/2011 7:02 PM, Bill Meier wrote:
>
> So, it may be the case that you'll need to store "per-frame" info
> about any decisions made as to how to dissect a particular packet
> based upon a previous packet.
>
> When an arbitrary packet is then dissected again later the associated
> per-packet info is used to do the dissection in the same way as done
> during the first sequential pass.
>


Or:  If the nature of the state info is akin to "setup" info which once seen applies to all the following packets of a conversation then use of a conversation should be sufficient.

(Of course your dissector will need to handle the case wherein a capture "starts in the middle" such that info from a previous packet is not available).

If the state info can be different for each of the streams then you may want to use a GHashtable associated with a conversation to store info for each individual stream associated with a conversation (connection).


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

IMPORTANT CONFIDENTIALITY NOTICE
This message and any attached documents contain information from ViXS Systems, Inc. and are confidential and privileged and further subject to any confidentiality agreement between the parties. The information is intended to be viewed only by the individual(s) or entity(ies) to whom the message is addressed. If you are not the intended recipient, be aware that reading, disclosing, copying, distributing or using the contents of this transmission is prohibited. Please notify us immediately if you have received this transmission in error, and delete this message along with any attached files.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube