Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] How does wireshark extract the name of file from filehandle?

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Mon, 13 Sep 2010 17:19:09 +0200
Hi,

The dissector must see the packet(s) which establish the relationship
between name and handle before it can add this information to the
packets which contain the handle only. It's that recreation of endpoint
state which allows Wireshark to do that, and the cause of much memory
grieve. 

Thanks,
Jaap


On Mon, 13 Sep 2010 03:35:38 -0400, "Tayade, Nilesh"
<Nilesh.Tayade@xxxxxxxxxxxx> wrote:
> Hi,
> 
> I seek some help on getting the filename/directory name from filehandle.
> I am working on parsing the NFS protocol packet. I can see in some of
> the packet captures in wireshark - the filename is displayed in the
> packet analysis window. But in actual byte stream the filename is NOT
> present (it just shows the file handle). Could someone please help
> understand how it extracts the name from filehandle?
> Attached is the screenshot of packet, highlighting the temp_dir name.
> 
> Byte stream:
> 0000  00 30 48 bd 8b 4c 00 30  48 d6 7b 16 08 00 45 00   .0H..L.0
> H.{...E.
> 0010  00 b4 ea 42 40 00 40 06  53 bb c0 a8 3d 44 c0 a8   ...B@.@.
> S...=D..
> 0020  3d b1 03 ef 08 01 28 10  8d 57 ba fc 4b 7b 80 18   =.....(.
> .W..K{..
> 0030  01 f5 fc ec 00 00 01 01  08 0a 23 fd 71 76 28 8d   ........
> ..#.qv(.
> 0040  66 e8 80 00 00 7c 4e 56  ff 6b 00 00 00 00 00 00   f....|NV
> .k......
> 0050  00 02 00 01 86 a3 00 00  00 03 00 00 00 04 00 00   ........
> ........
> 0060  00 01 00 00 00 38 00 09  36 a4 00 00 00 06 57 42   .....8..
> 6.....WB
> 0070  32 2d 36 38 00 00 00 00  00 00 00 00 00 00 00 00   2-68....
> ........
> 0080  00 07 00 00 00 00 00 00  00 01 00 00 00 02 00 00   ........
> ........
> 0090  00 03 00 00 00 04 00 00  00 06 00 00 00 0a 00 00   ........
> ........
> 00a0  00 00 00 00 00 00 00 00  00 14 01 00 00 01 00 08   ........
> ........
> 00b0  00 13 ef 68 66 00 03 f6  27 00 38 ec fc 13 00 00   ...hf...
> '.8.....
> 00c0  00 1f                                              ..
> 
> 
> P.S. Please include my email ID in the reply, as I am not subscribed to
> the list.
> 
> --
> Thanks,
> Nilesh
> x46222
> Yahoo IM: nilesh_tayade85