Wireshark-dev: [Wireshark-dev] Patches to dissect TightVNC extensions to the VNC protocol
From: Federico Mena Quintero <[email protected]>
Date: Tue, 18 Nov 2008 13:28:53 -0600
Hi, all,

I've been working on making the VNC dissector work for TightVNC
extensions, including decoding rectangles with tight compression.

The patchset is attached; it's all my individual commits for clarity,
but please tell me if you'd prefer to have this as a single, big patch.
This adds the following to the VNC dissector:

- Dissect TightVNC negotiation (tunneling, basic authentication,
capabilities).

- Dissect X cursor encoding.

- Dissect POINTER_POS encoding.

- Dissect the general form of Tight rectangles.

- Dissect Tight image data (basic compression, JPEG, gradient).

- Handle LastRect encoding.

- Fix some always-true conditions.

- Some code cleanups.

I'm having trouble with decoding the Server Framebuffer Update state,
though.  The VNC dissector is written with this pattern:

  dissect_vnc()
  {
     bytes_needed = dissect_current_vnc_state();
     if (bytes_needed > 0)
         standard_desegmenting_code();
  }

  int dissect_current_vnc_state()
  {
     read a few bytes;
     proto_tree_add_blahblah();
 
     read some more;
     if (we need more data)
         return bytes_needed;
     else
         dissect some more, add to the tree;
  }

That is, the dissector parses the protocol and adds items to the tree as
it goes, but it may return prematurely if it finds that it needs more
data than is available in the tvb.

I am not very familiar with Wireshark's architecture or how the
dissectors are written, but from looking at the code it looks like the
"accepted" way of doing things is rather

  dissect_foo()
  {
     req_bytes = figure_out_length_of_request();
     if (tvb doesn't have req_bytes available)
          standard_desegmenting_code();
     else
          parse_bytes_and_add_to_tree();
  }

That is, the dissectors first check that they have as much data as they
need, and only then do they fiddle with the displayed tree.  Is this
correct, or am I overlooking something?

Changing the VNC dissector to follow that pattern isn't horribly hard,
just a lot of grunt work, but I can handle it if someone can confirm
what the "right" pattern is for a dissector :)

Cheers, and thanks for making Wireshark such an awesome program,

  Federico

Attachment: wireshark-vnc-tightvnc.diff
Description: application/mbox