I'm planning on writing a dissector for an internal application-level
protocol used here at work. However, with this protocol TCP connections
are made and help for long periods of time (basically, until they are
broken). Multiple separate requests can be sent of each of these
connections. I'm thinking that it will be tricky to discover the start
of stop of a request. It would be disappointing to be limited to only
dissecting the connections that Ethereal can see form.
This might be viewed as the equivalent, say, of a *really* long held
HTTP/1.1 connection. One might try to scan for the start of
a particular request by looking for the pattern:
"<COMMAND> <PATH> HTTP/1.1\n((.+)\n)*(Host: .*)\n((.+)\n)*\n". However,
that's obviously no guarantee. After guessing that a particular group
of bytes was the start of an HTTP/1.1 request, one might later discover
that it was in fact the content of a web page describing a request,
inside a <pre></pre> or <code></code> block. This is just an example,
and there may be flaws with it, but I hope it conveys the gist of what
I'm trying to say.
Is there any documentation describing how one might go about doing this,
or might there be an existing dissector that solves this problem that
I could use as a model for my dissector? Thanks! I admit I haven't
gotten my feet too wet with writing a dissector yet, but I thought I'd
get this squared away first.
--
Bob Bell <bbell@xxxxxxxxxxxxxxxxxxxxx>
