----- Original Message ----- From: "Shaul Eizikovich" Sent: Tuesday, April 15, 2003 9:41 PM Subject: RE: [Ethereal-dev] Crash when using "Per packet information"
> I was probably unclear because I was trying to write a short entry. > Let me elaborate: > > I'm writing a dissector that will run on the output of "fw monitor". This > output is almost identical to "snoop" with some minor differences. > The relevant data being: every packet is replicated several times, with > everything but the MAC address staying unchanged. The replicated sub-packets > are guarantied to be sequential and continuous. Why would the packet be duplicated several times with different link layers? Is the purpose using the linklayer as a weird sidechannel to encode additional data for how the packet traverse the statemachine in some unknown entity? Still sounds sub-optimal design to duplicate full packets playing link layer modification games to represent side channel data. Wastes space and makes captures huge i would assume. Why not redesign the representation of the sidechannel? 1, Maybe add a new frame type that preceedes every normal packet which holds the side channel data? 2, Or preceed every normal packet with empty link layer (ethernet) frames only consisting of headers using a special mac source address, like having bit 2 of the first byte set as local administrated mac address and the remaining 22 bits of the oui as whatever mac range allocated to your organization, then use the last three bytes of that max and all 6 bytes of the dest mac as the sidechannel but dont duplicate the packets. Add some magic in packet-eth.c to detect these weirdo packets. #1 seems sane to me but #2 however kludgy could probably work as well. No need for weird tricks playing with internal structures in pinfo that may change whenever. it this dissector for internal use or for inclusion in ethereal? if for internal use only there is no issue with kludges and you can just look at pinfo->fd->flags.visited which is 0 first time the packet is seen and 1 othervise.
