Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Dissector for RPC/NFS traffic anonymization

From: Shehjar Tikoo <shehjart@xxxxxxxxxxxxxxx>
Date: Tue, 30 Jan 2007 14:44:21 +1100
Hi all

I am developing a binary traffic anonymizer for NFS.
I'll be getting traces from a file, anonymizing the
packets/segments and dumping to another output file.

One of the main tasks while anonymizing the traces is to handle the
RPC-over-TCP message fragmentation and re-assembly. To handle this, I
was thinking of writing a dissector that would run as part of tshark and
use the tshark/wireshark infrastructure(..mainly tcp_dissect_pdus(..))
to re-assemble fragmented and segmented NFS traffic, anonymize them and
dump them into an output file.

I was wondering if I could get some more info about wireshark regarding
this idea.

1. Is this possible at all? I've looked at some code in tshark and it
seems doable.

2. I intend to override/replace the built-in RPC-over-TCP dissector with
my dissector/anonymizer. I'd really like to know if there's a better way
to go about this with tshark?

3. After anonymizing the re-assembled tvbuff_ts, I need to dump these
into a file. At the same time I need to preserve the
segmentation/fragmentation structure from the original trace while
dumping. Is there code in wireshark/tshark that can segment or fragment
a re-assembled tvbuff_t back into its original form?


Thanks in advance!
Shehjar