Ask Your Question
0

Epan, dissect a packet as independent one

asked 2024-09-24 16:49:28 +0000

CollinX gravatar image

updated 2024-09-24 18:01:39 +0000

I'm trying to implement custom Epan lib API for packet dissections. Currently I'm done with packets dissection and everything works fine. But after I tried to dissect a packet as independent (out of the flow, stream) I ran into a problem... Example: I have some 10 packets, that are a TCP stream and one extra that is not connected to the stream, and I want dissect this extra packet as independent, meaning I do not want to add this packet to the dissection history and do not save any data of this packet in the dissectors flow.

How I dissect the stream:

epan_t* stream_epan = epan_new(NULL, &g_funcs);
/* Performing dissection for all the TCP stream packets sequence */
/* ... */
epan_dissect_run(g_edt, g_filetype_subtype, &reclocal, tvb, &fdlocal, &g_cinfo);
/* ... */
/* Trying to create new independent epan instance, but this causes an exception, seems like I can not create new epan instance after one already has been created... */
epan_t* independent_epan = epan_new(NULL, &g_funcs);

How actually can I correctly dissect some packets as independent like I described above? How the WS doe it, or this is impossible? Or It works only with the read file and provider creation? Or how? Can somebody explain me how can I make it possible?

Also having some weird issues when I create epan session locally in the function

 epan_t* local_epan = epan_new(NULL, &g_funcs);
 /* ... dissection procedure */
 epan_free(local_epan);

After this function I'm not able to use my original epan instance that has been created as global variable in the init function at the beginning in my program. In same time if I do not free local_epan in the local function or freeing via g_free(local_epan); instead of epan_free(local_epan); it works with no issues... Same here do not really understand why. One thing that pops up for me it perhaps, somehow, epan_new(NULL, &g_funcs);, creates every new session with no provider and counts every new session as the same as previous with same no provider in the arguments e.g. NULL, but it is just guessing...

edit retag flag offensive close merge delete

Comments

Trying to create new independent epan instance, but this causes an exception

What sort of exception?

Guy Harris gravatar imageGuy Harris ( 2024-09-24 17:22:59 +0000 )edit

It is actually Assertion, here is the trace where it happens:

epan.c -> [Line: 482] | init_dissection();
packet.c -> [Line: 350] | wmem_enter_file_scope();
wmem_scopes.c -> [Line: 86] | ws_assert(!wmem_in_scope(file_scope));
CollinX gravatar imageCollinX ( 2024-09-24 17:44:04 +0000 )edit
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2024-09-30 21:28:09 +0000

CollinX gravatar image

updated 2024-09-30 21:33:31 +0000

UPDATE

Just finished with tests of my app and my requested feature. So now gonna share some info. If somebody faced with same kind of problem - here is how I managed to meet my needs.

I have written simple console app in C++, which loads EPAN Framework lib into it's memory space (it loads my custom API Dll, and my Dll preloads actual EPAN Dlls after all), and with this approach I actually got an isolated EPAN infrastructure, and now, by using it, I'm able to dissect some packets completely independently with no affect on my main stream.

Also, the C++ app is used just as an child process of my main app, and all communication (IPC) is implemented through Win Named Pipes + JSON serialization\deserialization. I don't rly have many API calls (about 15 for now), so it is decent for me to use this approach.

Maybe there are some better\modern approaches, but since I'm not that pro in C/C++ I did my best, and share here.

Cheers :)

edit flag offensive delete link more

Comments

Loading the EPAN library into your C++ app will give you one EPAN infrastructure and all the dissectors using it, but it won't give you more than one. Did you load it more than once? Or do you run multiple instances of your C++ app as a child process of the main app, with each instance dissecting independently from the other ones?

Guy Harris gravatar imageGuy Harris ( 2024-09-30 23:20:29 +0000 )edit
add a comment
0

answered 2024-09-24 20:23:20 +0000

Guy Harris gravatar image

In order for the epan framework to handle more than one independent source of packets, it would need to support per-source "file" scopes rather than a single global "file" scope.

However, while that's necessary, it's not sufficient to handle more than one independent source of packets, as many dissectors accumulate state information, and that's global rather than being attached to a packet source.

So this isn't going to be possible with libwireshark as it exists, and fixing that would take a significant amount of work.

edit flag offensive delete link more

Comments

Thank You for the help! But Really? So powerful framework can handle only one session? Come on... Well then the only way I see how to implement this is to make some kind of helper that will load copy of the libwireshark.dll into the memory and will handle independent dissection feature. Or maybe even some exe helper that will just handle single packet dissection return result and close in background or something. This is the only way I see for now then :( also I do not want to change original WS dlls at all. All my API is designed to work with original sources and with all limitations, but I really need this "independent dissection" feature in my API.. So will have to implement it somehow for sure...

CollinX gravatar imageCollinX ( 2024-09-24 21:04:51 +0000 )edit

So powerful framework can handle only one session?

For better or worse, it was originally developed as part of the Wireshark application, and was separated out in 2000; TShark was implemented atop the new framework. It was not designed for completely general use, so it's not as general as some might like.

Guy Harris gravatar imageGuy Harris ( 2024-09-25 08:54:32 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2024-09-24 16:49:28 +0000

Seen: 140 times

Last updated: Sep 30

Related questions

What should be done when detecting faulty frames?

SSL Dissector having public key,private key, DH Params: possibile?

How to access initial HTTP negotiation context data from websocket dissector?

distinguish dissectors using same udp port

Wireshark doesn't dissect Emails received via POP3

udp packet reassembly and dissection with lua

Seeking Example for Protocol Encapsulating IPv4

Type for Dissecting n-bit Quantities

Undissecting tcp2123/tcp2152 currently dissected as GTP

How to enable the eCPRI packet