Ask Your Question
0

Epan, dissect a packet as independent one

asked 2024-09-24 16:49:28 +0000

CollinX gravatar image

updated 2024-09-24 18:01:39 +0000

I'm trying to implement custom Epan lib API for packet dissections. Currently I'm done with packets dissection and everything works fine. But after I tried to dissect a packet as independent (out of the flow, stream) I ran into a problem... Example: I have some 10 packets, that are a TCP stream and one extra that is not connected to the stream, and I want dissect this extra packet as independent, meaning I do not want to add this packet to the dissection history and do not save any data of this packet in the dissectors flow.

How I dissect the stream:

epan_t* stream_epan = epan_new(NULL, &g_funcs);
/* Performing dissection for all the TCP stream packets sequence */
/* ... */
epan_dissect_run(g_edt, g_filetype_subtype, &reclocal, tvb, &fdlocal, &g_cinfo);
/* ... */
/* Trying to create new independent epan instance, but this causes an exception, seems like I can not create new epan instance after one already has been created... */
epan_t* independent_epan = epan_new(NULL, &g_funcs);

How actually can I correctly dissect some packets as independent like I described above? How the WS doe it, or this is impossible? Or It works only with the read file and provider creation? Or how? Can somebody explain me how can I make it possible?

Also having some weird issues when I create epan session locally in the function

 epan_t* local_epan = epan_new(NULL, &g_funcs);
 /* ... dissection procedure */
 epan_free(local_epan);

After this function I'm not able to use my original epan instance that has been created as global variable in the init function at the beginning in my program. In same time if I do not free local_epan in the local function or freeing via g_free(local_epan); instead of epan_free(local_epan); it works with no issues... Same here do not really understand why. One thing that pops up for me it perhaps, somehow, epan_new(NULL, &g_funcs);, creates every new session with no provider and counts every new session as the same as previous with same no provider in the arguments e.g. NULL, but it is just guessing...

edit retag flag offensive close merge delete

Comments

Trying to create new independent epan instance, but this causes an exception

What sort of exception?

Guy Harris gravatar imageGuy Harris ( 2024-09-24 17:22:59 +0000 )edit

It is actually Assertion, here is the trace where it happens:

epan.c -> [Line: 482] | init_dissection();
packet.c -> [Line: 350] | wmem_enter_file_scope();
wmem_scopes.c -> [Line: 86] | ws_assert(!wmem_in_scope(file_scope));
CollinX gravatar imageCollinX ( 2024-09-24 17:44:04 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-09-24 20:23:20 +0000

Guy Harris gravatar image

In order for the epan framework to handle more than one independent source of packets, it would need to support per-source "file" scopes rather than a single global "file" scope.

However, while that's necessary, it's not sufficient to handle more than one independent source of packets, as many dissectors accumulate state information, and that's global rather than being attached to a packet source.

So this isn't going to be possible with libwireshark as it exists, and fixing that would take a significant amount of work.

edit flag offensive delete link more

Comments

Thank You for the help! But Really? So powerful framework can handle only one session? Come on... Well then the only way I see how to implement this is to make some kind of helper that will load copy of the libwireshark.dll into the memory and will handle independent dissection feature. Or maybe even some exe helper that will just handle single packet dissection return result and close in background or something. This is the only way I see for now then :( also I do not want to change original WS dlls at all. All my API is designed to work with original sources and with all limitations, but I really need this "independent dissection" feature in my API.. So will have to implement it somehow for sure...

CollinX gravatar imageCollinX ( 2024-09-24 21:04:51 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2024-09-24 16:49:28 +0000

Seen: 13 times

Last updated: 2 hours ago

Related questions

What should be done when detecting faulty frames?

SSL Dissector having public key,private key, DH Params: possibile?

How to access initial HTTP negotiation context data from websocket dissector?

distinguish dissectors using same udp port

Wireshark doesn't dissect Emails received via POP3

udp packet reassembly and dissection with lua

Seeking Example for Protocol Encapsulating IPv4

Type for Dissecting n-bit Quantities

Undissecting tcp2123/tcp2152 currently dissected as GTP

How to enable the eCPRI packet