Wireshark · Wireshark-dev: Re: [Wireshark-dev] What is the best way to create a stateful dissector?

Wireshark-dev: Re: [Wireshark-dev] What is the best way to create a stateful dissector?

From: Bill Meier <wmeier@xxxxxxxxxxx>

Date: Tue, 22 Nov 2011 19:18:35 -0500

On 11/22/2011 7:02 PM, Bill Meier wrote:


So, it may be the case that you'll need to store "per-frame" info about
any decisions made as to how to dissect a particular packet based upon a
previous packet.

When an arbitrary packet is then dissected again later the associated
per-packet info is used to do the dissection in the same way as done
during the first sequential pass.

Or: If the nature of the state info is akin to "setup" info which onceseen applies to all the following packets of a conversation then use ofa conversation should be sufficient.

(Of course your dissector will need to handle the case wherein a capture"starts in the middle" such that info from a previous packet is notavailable).

If the state info can be different for each of the streams then you maywant to use a GHashtable associated with a conversation to store infofor each individual stream associated with a conversation (connection).

Follow-Ups:
- Re: [Wireshark-dev] What is the best way to create a statefuldissector?
  - From: Kenny Ho

References:
- [Wireshark-dev] What is the best way to create a stateful dissector?
  - From: Kenny Ho
- Re: [Wireshark-dev] What is the best way to create a stateful dissector?
  - From: Bill Meier
- Re: [Wireshark-dev] What is the best way to create a stateful dissector?
  - From: Bill Meier

Prev by Date: Re: [Wireshark-dev] What is the best way to create a stateful dissector?
Next by Date: Re: [Wireshark-dev] Linked bug reports
Previous by thread: Re: [Wireshark-dev] What is the best way to create a stateful dissector?
Next by thread: Re: [Wireshark-dev] What is the best way to create a statefuldissector?
Index(es):
- Date
- Thread