Wireshark-dev: [Wireshark-dev] Remaining Wireshak stuff during FOSDEM
From: Joerg Mayer <[email protected]>
Date: Sun, 5 Feb 2012 15:55:38 +0100
Hello everyone,

here's the remaining wireshark/sniffing related stuff that I remember
talking about.



Dinnertalk (just ideas, not discussed in detail):

- Something I can't remember
- In order to reduce the impact of buffer overflows and similar mistakes
  separate out the dissection code into it's own executable like it was
  done with dumpcap. This process could then be run in a sandbox and talk
  to the Wireshark process via filehandles or whatever. This would also
  significantly reduce the work required to show several traces in one
  process, as the dissection code would not need to be touched.
- Maybe verify GPL compliance of commercial software calling Wireshark's
  dissection code via Microsoft's COM mechanism (with and without process
  switching). Who can we ask about this? EFF?
- Idea: Offer a translated (capture filter syntax) version when a user enters
  a display filter into a capture filter place (e.g. "Did you mean
  'host'?" after the user entered ip.addr==

FOSDEM beer event (after a beer or so):

- Wireshark doesn't have any catchy code names for releases like the Linux
  kernel has. Use shark species like "smashing Sphyrna mokarran". Send out
  Sake to provide pictures ;-)


- Visiting introduction Cmake talk as FOSDEM (Graham, Jörg, Martin, Sake) by
  Bill Hoffman and Alexander Neundorf.

- The minemu talk was interesting
  but probably not relevant for Wireshark testing.

Dinnertalk (with Harald Welte):

- Sniffing sim-card traffic
- decode as
  + any type of payload (not layer specific)
  + at any place
  + saveable
- Change protocol tables and save that (i.e. change the default port of
  a protocol and save that). Provide a fixed port (or whatever selector
  is used) for heuristic protocols
- Inverse to desegmentation: at some layer there are e.g. 13 higher level
  pdus inside one frame. Convert this into 13 separate packets (or whatever).
- Ability to "ignore" (i.e. don't show) lower level protocols
- Show context of filtered packets (like diff -C 3 ...)
- Ability to filter on the info column
- Provide an option to show the info column when running "tshark -V ..."
- CSN1 decoding is manually coded right now - and wrong in some places.
  Automatic creation like ASN.1 possible but rather hard problem.


- Coreboot talk: Interesting project but irrelevant to Wireshark unless we
  want to put Wireshark into the bios ;-)

Nothing Wireshark specific happend.

Joerg Mayer                                           <[email protected]>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.