On Fri, May 02, 2003 at 10:51:05PM +0200, Matthijs Melchior wrote:....
There is one problem left. All my test cases start correctly with
a top level pdu. I cannot expect that to happen when I look at a
live data stream. I will need some way to give ethereal a hint as
to where in the first packet of a capture it is reasonable to start
parsing.
Ronnie Sahlberg added some stuff that might at least partially allow that, and might be the basis for code to allow more of it.
If the dissector isn't heuristic, but could scan through a TCP segment and decide where in that segment a packet for its protocol begins, that would probably be fairly straightforward to handle (and Ronnie's changes might already allow that).
Well, I have found something that sort-of works. If the tcp packet is not reassebled, then parsing begins at a specified offset. In my testing samples, this is always the first packet..., but if the pdu's fit exactly then it could occur elswhere, isn't it...
When 0.9.12 is available I will try to find Ronnie Sahlberg's stuff...
Well, BER encoding has little redundancy and that makes it very difficult to distinguish meta data from real data. With knowledge of the contents of the pdu's in my current samples I can point to pdu start positions, but that is certainly not generally applcable.
And, as a first aproximation, I think my current mechanism is acceptable, and remains a candidate for improvement, if we know how.
Thanks.
-- Regards, ---------------------------------------------------------------- -o) Matthijs Melchior Maarssen /\\ [EMAIL PROTECTED] Netherlands _\_v ---------------------------------------------------------------- ----
