Wireshark · Ethereal-dev: [Ethereal-dev] Packets Spanning Packets

[Evan Hughes <ehughes@xxxxxxxxx>]

From: Guy Harris [mailto:guy@xxxxxxxxxx]
> > Or, more to the point, how difficult would it be to implement?
> Fairly difficult.  See my recent reply in the thread on Van Jacobson
> compressed PPP for *some* of the issues that have to be resolved in
> order to support dissection of packets that span frames.

  The code in follow_dlg.c and follow.c seem to be fairly promising: they
sort and uniquify the packets in the TCP stream -- which (unless I'm missing
something here) is exactly what needs to be done to parse higher level
packets spanning TCP packets. 

  I haven't done too much digging about, but could the functions in follow.c
be cleanly modified to create an index of packets in a stream? Then maybe
something like a the tvbuff could be used to walk across them in a manner
that would shelter the code monkey from knowing about the underlying
packets...

(I'm going to have to install a real OS soon if this seems easily doable =)

e