Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-dev: Re: [Ethereal-dev] Registering filter fields during dissection time

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: LEGO <luis.ontanon@xxxxxxxxx>
Date: Wed, 6 Jul 2005 02:21:52 +0200
I discarded the idea of using DTDs from the XML data because it
presented several security problems.

It is trivial to flood the dissector making it create tons of fake
protocols and its hf_s, etts and its value_strings until the program
crashes.

Every one able to send packets through the sniffer can easily add new
fields with the older names and send packets that would match or avoid
matching a specified filter.

And more...

The issue is do you realy want the behaviour of your dissector to
change based on what people writes to the network?

For me, the answer is no, I don't. 

On 7/6/05, Fabrizio Bertocci <fabrizio@xxxxxxx> wrote:
> Senthil,
> Probably I'm not the best person to answer this, but from my personal
> experience the answer is NO.
> The dissection routine is called several time, by registering several
> times the field, you end up exhausting the memory pretty quick. The
> registration phase need to be done only once.
> I think what you should do is to register all the possible fields that
> can appear in your protocol, then the dissector routine will fill up
> only the one that will find in the dissected packet.
> I've worked on the RTPS packet dissector and the RTPS packet doesn't
> have all the fields registered, dynamically the dissector understand the
> content and create the protocol tree. Not all the leaves are filled up.
> 
> Fabrizio
> 
> 
> Senthil Sundaram wrote:
> 
> > Hi,
> >
> > Is it possible to register filter fields from within your dissection
> > routine?
> >
> > i.e proto_register_field_array() - can this be called from the
> > dissection routines? Reason being, I dont know all the fields during
> > the protocol registration time. I know most of the fields for my
> > protocol during dissection time only. The payload for my protocol is
> > in the form of type-length-value form, so the fields are discovered
> > during dissection.
> >
> > This means the display filters have to be refreshed after the
> > dissection is complete
> >
> > Is this possible?
> >
> > Thanks
> > Senthil
> >
> > _______________________________________________
> > Ethereal-dev mailing list
> > Ethereal-dev@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-dev
> 
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
> 


-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube