Wireshark · Wireshark-dev: Re: [Wireshark-dev] Wireshark-dev Digest, Vol 17, Issue 69

[habib zainali g <habibz1366@xxxxxxxxxxx>]

---

> From: wireshark-dev-request@xxxxxxxxxxxxx
> Subject: Wireshark-dev Digest, Vol 17, Issue 69
> To: wireshark-dev@xxxxxxxxxxxxx
> Date: Wed, 24 Oct 2007 17:26:05 +0000
>
> Send Wireshark-dev mailing list submissions to
> wireshark-dev@xxxxxxxxxxxxx
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
> or, via email, send a message with subject or body 'help' to
> wireshark-dev-request@xxxxxxxxxxxxx
>
> You can reach the person managing the list at
> wireshark-dev-owner@xxxxxxxxxxxxx
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Wireshark-dev digest..."
>
>
> Today's Topics:
>
> 1. Re: Protocol Parser Compiler (Luis EG Ontanon)
> 2. Support for MGCP over TCP with ASCII TPKT header (Harmeet Sawhney)
> 3. make in ./doc entered twice (Toralf Förster)
> 4. Re: epan/.libs/libwireshark.so.0.0.1 is not in scope of make
> ? (Toralf Förster)
> 5. Wireshark Crashing (Diaconou, Alex)
> 6. decoding Remote Desktop Protocol (DePriest, Jason R.)
> 7. Re: decoding Remote Desktop Protocol (Stephen Fisher)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 24 Oct 2007 16:05:01 +0200
> From: "Luis EG Ontanon" <luis.ontanon@xxxxxxxxx>
> Subject: Re: [Wireshark-dev] Protocol Parser Compiler
> To: "Developer support list for Wireshark"
> <wireshark-dev@xxxxxxxxxxxxx>
> Message-ID:
> <f20d86b70710240705l21dfedfbj799c79d38915f1b0@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1
>
> IMHO BNF or the alike is not the way to go!
>
> BNF parser generators have few isues that make them unfit for protocol
> dissectors the way we do them. I've started to write an ABNF-based LR
> dissector generator but found many things that would make it unfit.
>
> take the following BNF:
>
> a ::= b c.
> b := b b.
> b ::= B.
> c ::= C.
>
> let's say we got a packet containing BBBC (a mechanism, besides the
> BNF, to define terminal symbols is needed).
>
> The code for the reduction of "B -> b", "b b -> b" and "C -> c" will
> be evaluated before the code for reducing "b c -> a" is triggered.
> That means that we'll have a call sequence like this:
>
> B -> b
> B -> b
> b b ->b
> B -> b
> b b -> b
> C -> c
> b c -> a
> a -> $
>
>
> If we want to create a dissection tree from this call sequence we
> would need to call reversed. The code for the reduction of the start
> symbol (that should create the root of our tree) should be called
> first but an LR parser is going to call it at last.
>
> We would have to evaluate the entire message (hoping that is complete
> or else we will not be able to reduce the start symbol) creating
> interim containers before being able to add anything to the tree,
> which is cumbersome.
>
> This phenomenon shows up in the XML dissector (which is based on a bad
> idea I had similar to that of a BNF generated parser) where in order
> to avoid not being able to reduce the start symbol in case the message
> is truncated, I wrote many grammars for many different elements
> instead of a single grammar for the entire XML message and manage the
> entire parsing with a separate stack of described.
> Not only in order to be able to create the subtree before its children
> the parser first creates a tree on its own then it does some callbacks
> before pushing the subtrees and some others later on after popping
> making the code unintelligible. It does not even do the whole thing
> via the grammar!
>
> For generating dissectors for arbitrary protocols I would be looking
> more into something more similar to lex than to yacc. That is: a
> cursor based tool with an FSM. That means no not generating code from
> a context free grammar (like BNF) but looking into a contextual
> parser.
>
> <UDP> {
> <START> src_pt = UINT(2,src.port) -> GET_DST.
> <GET_DST> dst_pt = UINT(2,"dst.port") -> GET_LEN.
> <GET_LEN> data_lenght = UINT(2,"len") -> GET_CHK.
> <GET_CHK> UINT(2,"checksum") -> DATA.
> <DATA> DISSECT_TABLE(,"udp.port",src_pt,data_len) ||
> DISSECT_TABLE(,"udp.port",dst_pt,data_len) ||
> CALL_DISSECTOR("data",data_len).
> }
>
> This would allow to create the tree from the root (as we do) instead
> of building it from the leafs and would allow also to parse truncated
> messages which at least for me should be a a requirement for
> dissectors.
>
> Luis
>
> On 10/23/07, Andrew Feren <acferen@xxxxxxxxx> wrote:
> >
> > --- Guy Harris <guy@xxxxxxxxxxxx> wrote:
> >
> > > Graham Bloice wrote:
> > > > Might be interesting for some:
> > > >
> > > > binpac: A yacc for Writing Application Protocol Parsers
> > > > http://lambda-the-ultimate.org/node/2496
> > >
> > > Sebastien Tandel mentioned that back in May - I didn't get around to
> > > replying back then; thanks for reminding me of this and getting me to
> > > reply. Apologies to Sebastien for not replying then....
> > >
> > > Yes, something such as this would, I suspect, be a Very Good Thing.
> >
> > [ snip ]
> >
> > I'm looking at binpac for other reasons, but would be interested in using it
> > to generate Wireshark dissectors too.
> >
> > I do, however, have one question before I head too far down this path. How
> > do people feel about introducing C++ to Wireshark? I ask because binpac
> > currently generates C++ code.
> >
> > I can use binpac as it stands to generate dissectors, but adding a C backend
> > to binpac is out of scope for me at this time.
> >
> > -Andrew
> >
> >
> > -Andrew Feren
> > acferen@xxxxxxxxx
> > _______________________________________________
> > Wireshark-dev mailing list
> > Wireshark-dev@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> >
>
>
> --
> This information is top security. When you have read it, destroy yourself.
> -- Marshall McLuhan
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 24 Oct 2007 14:21:45 +0530
> From: Harmeet Sawhney <harmeet.sawhney@xxxxxxx>
> Subject: [Wireshark-dev] Support for MGCP over TCP with ASCII TPKT
> header
> To: wireshark-dev@xxxxxxxxxxxxx
> Cc: harmeet.sawhney@xxxxxxx
> Message-ID:
> <OFFFC74D38.5C130EF6-ON6525737E.0030AF16-6525737E.0030AF27@xxxxxxx>
> Content-Type: text/plain; charset="us-ascii"
>
>
> Hi,
> I need to submit my changes for a bug (ID: 1856) to support MGCP over TCP
> with ASCII TPKT header. I had tested changes for bug on 0.99.5 version of
> wireshark.
> Now, I need to incoporate the patch in future releases of wireshark. Please
> let me know in which source code version of wireshark, I should merge
> changes for bug 1856 and then submit changes as a patch so that they can be
> incorported in future releases of wireshark.
>
> Regards,
> Harmeet Singh Sawhney
> Tata Consultancy Services
> TCS Towers, 249 D&E Udyog Vihar,
> Phase IV, Gurgaon
> Gurgaon,Haryana
> India
> Mailto: harmeet.sawhney@xxxxxxx
> Website: http://www.tcs.com
> ____________________________________________
> Experience certainty. IT Services
> Business Solutions
> Outsourcing
> ____________________________________________
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 24 Oct 2007 13:34:11 +0200
> From: Toralf Förster <toralf.foerster@xxxxxx>
> Subject: [Wireshark-dev] make in ./doc entered twice
> To: wireshark-dev@xxxxxxxxxxxxx
> Message-ID: <200710241334.12342.toralf.foerster@xxxxxx>
> Content-Type: text/plain; charset="iso-8859-15"
>
> I observe the following since some svn revissions:
>
> ...
> creating wireshark
> creating editcap
> (cd doc ; \
> make ../wireshark-filter.4 )
> (cd doc ; \
> make ../wireshark-filter.html )
> make[3]: Entering directory `/home/tfoerste/devel/wireshark/trunk/doc'
> WIRESHARK_RUN_FROM_BUILD_DIRECTORY=1 ../tshark -G fields | /usr/bin/perl ./dfilter2pod.pl ./wireshark-filter.pod.template > wireshark-filter.pod
> make[3]: Entering directory `/home/tfoerste/devel/wireshark/trunk/doc'
> WIRESHARK_RUN_FROM_BUILD_DIRECTORY=1 ../tshark -G fields | /usr/bin/perl ./dfilter2pod.pl ./wireshark-filter.pod.template > wireshark-filter.pod
> /usr/bin/pod2html \
> --title="wireshark-filter - The Wireshark Network Analyzer 0.99.7" \
> --noindex \
> wireshark-filter.pod > ../wireshark-filter.html
> /usr/bin/pod2man \
> --section=4 \
> --center="The Wireshark Network Analyzer" \
> --release=0.99.7 \
> wireshark-filter.pod > ../wireshark-filter.4
> make[3]: Leaving directory `/home/tfoerste/devel/wireshark/trunk/doc'
> make[3]: Leaving directory `/home/tfoerste/devel/wireshark/trunk/doc'
>
>
>
> --
> MfG/Sincerely
>
> Toralf Förster
> pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 189 bytes
> Desc: This is a digitally signed message part.
> Url : http://www.wireshark.org/lists/wireshark-dev/attachments/20071024/3143fe1d/attachment.pgp
>
> ------------------------------
>
> Message: 4
> Date: Wed, 24 Oct 2007 13:40:39 +0200
> From: Toralf Förster <toralf.foerster@xxxxxx>
> Subject: Re: [Wireshark-dev] epan/.libs/libwireshark.so.0.0.1 is not
> in scope of make ?
> To: wireshark-dev@xxxxxxxxxxxxx
> Message-ID: <200710241340.39799.toralf.foerster@xxxxxx>
> Content-Type: text/plain; charset="iso-8859-15"
>
> I opened bug http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1936 :-)
>
> --
> MfG/Sincerely
>
> Toralf Förster
> pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 189 bytes
> Desc: This is a digitally signed message part.
> Url : http://www.wireshark.org/lists/wireshark-dev/attachments/20071024/08632e4e/attachment.pgp
>
> ------------------------------
>
> Message: 5
> Date: Wed, 24 Oct 2007 10:19:37 -0600
> From: "Diaconou, Alex" <alex.diaconou@xxxxxxxx>
> Subject: [Wireshark-dev] Wireshark Crashing
> To: wireshark-dev@xxxxxxxxxxxxx
> Message-ID:
> <32A0C17D9C21F84886D0BEDEB6A529BB02686698@xxxxxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="utf-8"
>
> When I try to capture (select the 'Interfaces' or 'Options' menu items
> under Capture menu), Wireshark crashes. I downloaded the newest Winpcap
> dpack and put it in the wireshark libs and rebuilt, but that did not
> work. I have an auto-installed version of Wireshark on my system which
> works fine. What is the reason for this crash? (memory reference
> error).
>
>
>
> Thanks
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://www.wireshark.org/lists/wireshark-dev/attachments/20071024/c0c39426/attachment.htm
>
> ------------------------------
>
> Message: 6
> Date: Wed, 24 Oct 2007 11:39:15 -0500
> From: "DePriest, Jason R." <jrdepriest@xxxxxxxxx>
> Subject: [Wireshark-dev] decoding Remote Desktop Protocol
> To: wireshark-dev@xxxxxxxxxxxxx
> Message-ID:
> <31b7d2790710240939x39154505yd160ec9beb5a17b1@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1
>
> After Tenable announced that they are going to have operating system
> detection based on Remote Desktop fingerprinting available to Direct
> Feed customers (http://blog.tenablesecurity.com/2007/10/windows-operati.html),
> I thought it would be great to figure out how they are doing that.
>
> Unfortunately, I can't seem to locate any good technical documentation
> on how RDP does what it does.
>
> I considered looking at the linux programs that use it (rdesktop) and
> trying to read their code, but I don't write code myself so it would
> be hit or miss.
>
> RDP is Microsoft's baby and I don't know where to look for in depth docs on it.
>
> Does anyone have a link or two to some helpful stuff that would help
> me break the code? Or will I just need to figure it the hard way?
>
> Thanks!
>
> -Jason
>
> --
> NOTICE: This email is being sent in clear-text across the public
> Internet. Therefore, any attempts to include unenforceable legalese
> restrictions are ridiculous and pointless. If you can read this,
> consider yourself authorized (whether I like it or not).
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 24 Oct 2007 11:26:01 -0600
> From: Stephen Fisher <stephentfisher@xxxxxxxxx>
> Subject: Re: [Wireshark-dev] decoding Remote Desktop Protocol
> To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
> Message-ID: <20071024172601.GA17898@shadow.local>
> Content-Type: text/plain; charset=us-ascii
>
> On Wed, Oct 24, 2007 at 11:39:15AM -0500, DePriest, Jason R. wrote:
>
> > Unfortunately, I can't seem to locate any good technical documentation
> > on how RDP does what it does.
> >
> > I considered looking at the linux programs that use it (rdesktop) and
> > trying to read their code, but I don't write code myself so it would
> > be hit or miss.
> >
> > RDP is Microsoft's baby and I don't know where to look for in depth
> > docs on it.
> >
> > Does anyone have a link or two to some helpful stuff that would help
> > me break the code? Or will I just need to figure it the hard way?
>
> There is little to no public documentation on Remote Desktop. I wanted
> to implement RDP dissection in Wireshark a while back and gave up (I had
> just finished off the VNC dissector which was a pain even with
> documentation). Your best bet is to read the source code to rdesktop
> (which is poorly documented if I remember correctly) and the articles
> under the "Documentation" section of www.rdesktop.org. It is a shame
> they did not document the protocol(s) in a nice fashion while writing
> the code to rdesktop. I do not mean to discourage you or anyone from
> trying to figure it out as it would be a great feature to have in
> Wireshark. I would be willing to help if someone could figure out at
> least enough to get started :)
>
>
> Steve
>
>
> ------------------------------
>
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
>
> End of Wireshark-dev Digest, Vol 17, Issue 69
> *********************************************

---

Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! Try it!