On Wed, 9 Jul 2003, Jeff Morriss wrote:
> > OK,
> > rather than calling it a fake-link, why not a raw capture. We have
> > precedent from the various raw protocol support on some versions of UNIX
> > (which unfortunately seems to have meant raw-IP).
>
> The only "problem" I see with that is that it's not quite "raw": each
> packet needs to have some kind of header on it (to tell us the length).
> But, that's not a big deal... "raw capture" is fine by me.
Sure, but it is raw in the sense that it might not have a link-layer, or
IP layer header, only a capture header.
> > Secondly, rather than having a 16-bit protocol type, how about a 32-bit
> > protocol type which would allow us to, say map IP-types and port-numbers
> > etc without having to resort to more large tables.
>
> I had contemplated whether 16-bits would be enough, but I figured it
> would be...
>
> What do you mean about port-numbers?
Here, as below, I am thinking of a way to get to the ultimate dissector,
or a path to the dissector required for the data.
Assuming that the file header says that the PDUs contain IP data, then SMB
packets might have their header type encoded as:
0x0006008B
Which can be understood as TCP port 139 so we can easily find the
dissector.
> > Of, how about having a variable length type with:
> >
> > First field being DLT-TYPE
> > Second field being a sub-type based on that
> > Third field being ...
> >
> > Thus, a raw IP capture might have header types of:
> >
> > 0x0006 0x0001 0x0805 <capture-len> <data>
> > ^ ^ ^
> > | | |
> > | | +----- IP ...
> > | +---------- DLT_EN10MB (ethernet II?)
> > +----------------- 6-bytes total type info
>
>
> I've been contemplating this, but I don't quite get how it works
> (sorry--my inexperience is probably showing).
>
> I see that you're building a path to IP (in this case through Ethernet II).
>
> Do you mean this as a packet-header or file-header?
I would prefer to see it in a per-packet header so that we can have
mixtures of raw PDUs in a capture file, however, that can be handled by
having one DLT-type that says mixed.
> How is this path information translated into "Give <data> to the IP
> dissector"? Does someone need to know "Okay, he said DLT_EN10MB so
> let's set "ethertype" to 0x0805 and call whatever dissector wants that?"
OK, so we need one packet-xxx.c file that corresponds to the raw DLT type
and it walks the path of omitted lower layer headers, selecting the
dissector table each time, and when it gets to the final one, calls the
dissector with a TVB being the PDU we actually have.
Regards
-----
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org,
sharpe[at]ethereal.com, http://www.richardsharpe.com
