Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-dev: [Ethereal-dev] H.223

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Richard van der Hoff <richard@xxxxxxxxxxxxxxxxxx>
Date: Fri, 16 Apr 2004 20:24:14 +0100
Hi,

I'm trying to write a plugin to dissect H.223, but it's proving somewhat
challenging.

H.223 is a cicuit-orientated multiplexing protocol; we are passing it
over IP using IAX2, which is a VoIP protocol, which essentially means
that the raw H.223 data is transmitted (unreliably) in 160-byte frames
over UDP with not much more than a timestamp to allow you to get your
frames in order (or, perhaps more likely, drop out-of-order frames) and
a call id to distinguish different multiplexes.

The actual process of distinguishing calls from an individual IAX packet
is somewhat involved, so my first step has been to make the IAX
dissector (which has to do that anyway) set
   packet_info->ctype=CT_IAX
and
   packet_info->circuit_id = <unique id>
and do relevant magic with find_circuit() and circuit_new(), which means
that subdissectors can just do find_circuit() and circuit_get_proto_data().

Hopefully, that's good so far. Someone correct me if it sounds ludicrous.

Now, I've fallen at the next hurdle, which is that of delineating and
dissecting H.223 MUX-PDUs. PDUs are delineated by a 2-byte magic number
(the HDLC flag), and obviously PDUs are likely to span multiple IAX
frames; worse yet, the HDLC flag itself could theoretically span two
frames. The PDUs have no length or identification data: it's assumed
that you'll have a stream of data and you start reading at one HDLC flag
and stop at the next.

So my question really is how I could best go about supporting this in
Ethereal; the problem is basically that, when you're called to dissect
an arbitrary frame, you don't know what the state of the stream is or
what the rest of the data in the PDUs at each end of the frame are.
It seems I need to write some support for stream-based protocols like this, so that when I come to dissect a particular frame, I can easily find the previous frame in the stream, allowing me to backtrack and make an entire PDU. I haven't been able to find anything that really does this - does it exist already? And is it the right thing to do?
I'm also not really sure how much support needs to go into the IAX dissector, and how much into H.223. There's no particularly good reason why H.223 _needs_ to run over IAX, so in many ways, I'd like to just pass the raw data into the H.223 dissector and put all the cunningness in there; on the other hand, I think that much of what I'm trying to do would be much easier with the help of the IAX dissector. 

TIA for any advice.

Richard van der Hoff
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube