Re: [Wireshark-dev] RFD: New language to write dissectors

[Guy Harris]

On Jul 24, 2012, at 1:23 PM, Jakub Zawadzki wrote:

 From my perspective: I really use ~ 20 dissectors, why I need all of them?

...and if they're loaded at startup time and either interpreted or translated 
after being loaded, it might be easier to choose a subset of protocols (NetMon 
lets you do that, although I don't remember whether you can specify an 
arbitrary subset or if they just let you choose from subsets they've defined).
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] RFD: New language to write dissectors

[Tyson Key]

Hmm, I did briefly think that if we ever moved all dissectors into plug-in
form (which would be unlikely, given the drive to make as many built-in as
possible), we could package them according to protocol family/purpose, so
that users could select only the ones that were necessary - but many have
complex interdependencies; and there's always going to be a number of
people who'll complain if they can't find an obscure dissector in their
installation.

That said, one of the appeals of Wireshark to me is that it only does
everything (to steal Sony's slogan); and that the current
licencing/project maintenance arrangements encourage people to contribute
new dissectors/features (even if not everything gets accepted 100% of the
time), and participate in their maintenance - so that everyone receives a
better product in the long term.

(I'm not opposed to the implementation of new mechanisms that potentially
make it easier to enhance, and extend Wireshark, though).

Just my 0.02p,

Tyson.

2012/7/25 Guy Harris g...@alum.mit.edu


 On Jul 24, 2012, at 1:23 PM, Jakub Zawadzki wrote:

  From my perspective: I really use ~ 20 dissectors, why I need all of
 them?

 ...and if they're loaded at startup time and either interpreted or
 translated after being loaded, it might be easier to choose a subset of
 protocols (NetMon lets you do that, although I don't remember whether you
 can specify an arbitrary subset or if they just let you choose from subsets
 they've defined).
 ___
 Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
 Archives:http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
  mailto:wireshark-dev-requ...@wireshark.org
 ?subject=unsubscribe




-- 
  Fight Internet Censorship!
http://www.eff.org
http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon |
00447934365844
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] RFD: New language to write dissectors

[Jeff Morriss]

Jakub Zawadzki wrote:

From my perspective: I really use ~ 20 dissectors, why I need all of them?


Admittedly 99% of the time I normally only use 10-15 dissectors, but 
OTOH every once in a while I'll start Wireshark to figure out why my 
insert service/application here is slow, not working, whatever and 
it's nice that my Wireshark automatically decodes 
service/application's traffic.


Anyway, what does it matter to me if there are 20 dissectors or 1000? 
Wireshark's startup time is still fairly fast[1].  Could it be faster? 
Sure, why not.  Do I care?  Not as much as making dissecting and 
filtering faster.


[1] On my *old* desktop it takes ~1.5 seconds between when I start the 
GUI though (manually) hitting Ctrl-Q and when the process exits. 
(Admittedly I probably ran it recently so most of the pages are in 
memory already.)

___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] RFD: New language to write dissectors

[Jeff Morriss]

On 07/14/2012 06:31 PM, Guy Harris wrote:


On Jul 14, 2012, at 8:26 AM, Jakub Zawadzki wrote:


It'd be great if we have some abstract and pure (no C/assembly inline) language 
to write dissectors.


[...]


On the other hand, it might also allow protocol descriptions to be
shipped either in source form or binary form with restrictions on
redistribution, providing a way to get around the GPL for protocols.
Some might consider that a feature (I seem to remember many years ago
Cisco raised this issue about some protocols) and others might consider
it a bug. If we end up with a consensus of it's a bug, we might be
able to extend the protections of the GPL to dissector descriptions fed
to the interpreter, so that if you make a compiled protocol
description available, you must also make the source available to
recipients and must give recipients the right to redistribute the source
or binaries.


I'd tend to think that would be a bug.

This reminds me of the struggles I've had recently getting people to 
contribute their diameter.xml changes to Wireshark.  They're able to 
just add the stuff they need and they don't change versions (or 
computers) often enough to care so they haven't felt the need to get the 
changes in.


Having an editable XML file is great for local modifications but it does 
lower the urge to get the changes checked into the Wireshark trunk. 
Lowering the barrier to adding dissectors would likely have a similar 
effect.  And I think part of what has made Wireshark great (from a 
user's perspective) is that it supports so many protocols out of the 
box; it supports so many protocols because it's easy to write them and 
get them included in Wireshark's repository.


(I'm not saying this is a reason to not support such a feature, I'm just 
putting the thought out there.)

___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] RFD: New language to write dissectors

[Jakub Zawadzki]

On Tue, Jul 24, 2012 at 09:40:36AM -0400, Jeff Morriss wrote:
 On 07/14/2012 06:31 PM, Guy Harris wrote:
 
  On Jul 14, 2012, at 8:26 AM, Jakub Zawadzki wrote:
 
  It'd be great if we have some abstract and pure (no C/assembly inline) 
  language to write dissectors.
 
 [...]
 
  On the other hand, it might also allow protocol descriptions to be
  shipped either in source form or binary form with restrictions on
  redistribution, providing a way to get around the GPL for protocols.
  Some might consider that a feature (I seem to remember many years ago
  Cisco raised this issue about some protocols) and others might consider
  it a bug. If we end up with a consensus of it's a bug, we might be
  able to extend the protections of the GPL to dissector descriptions fed
  to the interpreter, so that if you make a compiled protocol
  description available, you must also make the source available to
  recipients and must give recipients the right to redistribute the source
  or binaries.
 
 I'd tend to think that would be a bug.
 
 This reminds me of the struggles I've had recently getting people to 
 contribute their diameter.xml changes to Wireshark.  They're able to 
 just add the stuff they need and they don't change versions (or 
 computers) often enough to care so they haven't felt the need to get the 
 changes in.
 
 Having an editable XML file is great for local modifications but it does 
 lower the urge to get the changes checked into the Wireshark trunk. 
 Lowering the barrier to adding dissectors would likely have a similar 
 effect.  

The same situation is possible now with plugins.

I think the main reason why user don't want to contribute, is because it's 
complicated.
User need to create account, verify his mail, attach dissector sources, fix 
code, 
answer comments, fix code (again), etc, etc...

But if we have some language, which is easy to write dissector, easy to check 
(does it parse?),
and easy to maintaince. We can have 'upload your dissector' on main page. 
User need to upload just two files - sources and sample capture file.

 And I think part of what has made Wireshark great (from a 
 user's perspective) is that it supports so many protocols out of the 
 box; it supports so many protocols because it's easy to write them and 
 get them included in Wireshark's repository.

From my perspective: I really use ~ 20 dissectors, why I need all of them?

Cheers,
 Jakub.
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] RFD: New language to write dissectors

[Jakub Zawadzki]

On Sun, Jul 15, 2012 at 08:10:42PM -0700, Richard Sharpe wrote:
 On Sun, Jul 15, 2012 at 2:20 AM, Jakub Zawadzki darkjames...@darkjames.pl 
 wrote:
 Well, it might look stupid to you, but it represents a quick way to
 get simplify the process of producing dissectors, and writing a
 dissector is very boring.

Forgot word, once again: *Manually* translating 4K lines of NPL code to C looks 
stupid to me (...)

 In addition, to produce Wireshark C-based dissectors from NPL would
 seem not to require LLVM. A simple recursive descent parser should
 suffice.

LLVM is not parser generator (in wireshark we use lemon for it), and if we talk 
about boredom, 
writting recursive descent parser is boring ;-)
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] RFD: New language to write dissectors

[Richard Sharpe]

On Sun, Jul 15, 2012 at 10:53 PM, Jakub Zawadzki
darkjames...@darkjames.pl wrote:
 On Sun, Jul 15, 2012 at 08:10:42PM -0700, Richard Sharpe wrote:
 On Sun, Jul 15, 2012 at 2:20 AM, Jakub Zawadzki darkjames...@darkjames.pl 
 wrote:
 Well, it might look stupid to you, but it represents a quick way to
 get simplify the process of producing dissectors, and writing a
 dissector is very boring.

 Forgot word, once again: *Manually* translating 4K lines of NPL code to C 
 looks stupid to me (...)

 In addition, to produce Wireshark C-based dissectors from NPL would
 seem not to require LLVM. A simple recursive descent parser should
 suffice.

 LLVM is not parser generator (in wireshark we use lemon for it), and if we 
 talk about boredom,
 writting recursive descent parser is boring ;-)

I should have said more :-)

We can do the parsing any way we want. However, it seems that we do
not need LLVM if we are just producing dissectors as C code. We would
only need it if we want to compile all the way into some sort of byte
code for dissectors.

However, AFAIK, there is no such dissector VM today. There is a VM for
filtering, but not for dissection.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] RFD: New language to write dissectors

[Guy Harris]

On Jul 16, 2012, at 7:18 AM, Richard Sharpe wrote:

 We can do the parsing any way we want. However, it seems that we do
 not need LLVM if we are just producing dissectors as C code. We would
 only need it if we want to compile all the way into some sort of byte
 code for dissectors.

$ gcc
-bash: gcc: command not found
$ clang
-bash: clang: command not found
$ cc
-bash: cc: command not found

...

Obviously not my machine, which *does* have gcc and clang installed, and in 
which cc is a link to gcc, but if somebody's not interested in writing C code 
but *is* interested in adding a new protocol to Wireshark, and doesn't have a C 
compiler installed, either translating to an interpreted bytecode or to, for 
example, LLVM language:

http://llvm.org/docs/LangRef.html

and JITting it into your machine code, could be useful.

 However, AFAIK, there is no such dissector VM today. There is a VM for
 filtering, but not for dissection.

There isn't, but perhaps there should be.
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] RFD: New language to write dissectors

[Jakub Zawadzki]

On Sat, Jul 14, 2012 at 03:31:06PM -0700, Guy Harris wrote:
 
 On Jul 14, 2012, at 8:26 AM, Jakub Zawadzki wrote:
 
  It'd be great if we have some abstract and pure (no C/assembly inline) 
  language to write dissectors.
 
 Or to describe protocols and the way packets for those protocols are 
 displayed - the languages in question wouldn't be as procedural as 
 C/Lua/etc, they'd be more descriptive.
 
  We could invent yet another protocol desciption language,
 
 ...but, as you suggest, we probably shouldn't.

http://imgs.xkcd.com/comics/standards.png ;-)

 I'm not sure it has to be a choice, though - we could implement both, 
 resources permitting, of course.  (And, of course, given that there are many 
 already-existing languages that describe protocols - ASN.1, {OSF 
 IDL/MIDL/PIDL} for DCE RPC, rpcgen for ONC RPC, CORBA IDL, xcb for X11 - we 
 will probably never have the One True Protocol Description Language.)

I'd rather support one, and later have some compiler from language A to B.


  I'm bigger fan of NPL (...) but there might exists some legal (patents for 
  grammar/implementation?!) issues.
 
 That would be one concern - even having our own language, such as wsgd, 
 runs the risk of infringing a patent, but, well, *writing software of just 
 about any sort* runs the risk of infringing a patent; 
 however, we're dealing with a large corporation in the case of NPL, so 
 there's probably a greater risk that some or all of it is covered by patents. 
 Were Microsoft to explicitly state that there are no patents on 
 NPL-the-language or that they're granting a royalty-free license for all 
 implementations (perhaps with a mutual assured destruction clause, 
 so that were we to patent some feature of Wireshark and sue Microsoft for 
 violating that patent, our license for their patents would terminate), and 
 the same applied to any patents they hold on their 
 implementation of NPL that would block independent useful implementations, 
 that might help.

I'm not sure if it was covered by recent Oracle vs Google lawsuits.
Maybe Riverbed could help us with it? Gerald?

  With wsgd we could reuse some existing code of plugin.
 
 ...and we also have more freedom to extend the language, e.g. to support 
 preferences for a protocol 

or support for columns/expert info.

 Were there an Open NPL Consortium of some sort where multiple implementers 
 of NPL could propose extensions, and perhaps a way an implementation could 
 offer private extensions without worrying about colliding with other 
 implementations or future standards, that might help.

It'd also clear legal status of NPL language.


 (It also raises the question of whether interpreted execution of that 
 machine code or translation to C or machine language will be faster - 
 interpreted execution *could* result in a smaller cache footprint if the 
 interpreter is small enough and the code high-level enough to be fairly 
 dense, although it does involve difficult-at-best-to-predict branches in the 
 interpretive loop.)

I was thinking to use LLVM. For built-in dissectors we could compile dissectors 
to object file/ assembly, for user dissectors we'll benefit from LLVM JIT.
But anyway we need compiler to C. For prototype (does it work?) and later as 
fallback for people who don't have LLVM.
... Or can LLVM libraries be strong dependency?
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] RFD: New language to write dissectors

[Tyson Key]

Hmm,

What about implementing a compiler that generates C dissector source code,
from NPLt m, or WSGD dissector code? Or would that be overkill for what
we're trying to do?

Just my 0.02p...

Tyson.

2012/7/15 Jakub Zawadzki darkjames...@darkjames.pl

 On Sat, Jul 14, 2012 at 03:31:06PM -0700, Guy Harris wrote:
 
  On Jul 14, 2012, at 8:26 AM, Jakub Zawadzki wrote:
 
   It'd be great if we have some abstract and pure (no C/assembly inline)
 language to write dissectors.
 
  Or to describe protocols and the way packets for those protocols are
 displayed - the languages in question wouldn't be as procedural as
 C/Lua/etc, they'd be more descriptive.
 
   We could invent yet another protocol desciption language,
 
  ...but, as you suggest, we probably shouldn't.

 http://imgs.xkcd.com/comics/standards.png ;-)

  I'm not sure it has to be a choice, though - we could implement both,
 resources permitting, of course.  (And, of course, given that there are
 many already-existing languages that describe protocols - ASN.1, {OSF
 IDL/MIDL/PIDL} for DCE RPC, rpcgen for ONC RPC, CORBA IDL, xcb for X11 - we
 will probably never have the One True Protocol Description Language.)

 I'd rather support one, and later have some compiler from language A to B.


   I'm bigger fan of NPL (...) but there might exists some legal (patents
 for grammar/implementation?!) issues.
 
  That would be one concern - even having our own language, such as
 wsgd, runs the risk of infringing a patent, but, well, *writing software of
 just about any sort* runs the risk of infringing a patent;
  however, we're dealing with a large corporation in the case of NPL, so
 there's probably a greater risk that some or all of it is covered by
 patents.
  Were Microsoft to explicitly state that there are no patents on
 NPL-the-language or that they're granting a royalty-free license for all
 implementations (perhaps with a mutual assured destruction clause,
  so that were we to patent some feature of Wireshark and sue Microsoft
 for violating that patent, our license for their patents would terminate),
 and the same applied to any patents they hold on their
  implementation of NPL that would block independent useful
 implementations, that might help.

 I'm not sure if it was covered by recent Oracle vs Google lawsuits.
 Maybe Riverbed could help us with it? Gerald?

   With wsgd we could reuse some existing code of plugin.
 
  ...and we also have more freedom to extend the language, e.g. to support
 preferences for a protocol

 or support for columns/expert info.

  Were there an Open NPL Consortium of some sort where multiple
 implementers of NPL could propose extensions, and perhaps a way an
 implementation could offer private extensions without worrying about
 colliding with other implementations or future standards, that might help.

 It'd also clear legal status of NPL language.


  (It also raises the question of whether interpreted execution of that
 machine code or translation to C or machine language will be faster -
 interpreted execution *could* result in a smaller cache footprint if the
 interpreter is small enough and the code high-level enough to be fairly
 dense, although it does involve difficult-at-best-to-predict branches in
 the interpretive loop.)

 I was thinking to use LLVM. For built-in dissectors we could compile
 dissectors to object file/ assembly, for user dissectors we'll benefit from
 LLVM JIT.
 But anyway we need compiler to C. For prototype (does it work?) and later
 as fallback for people who don't have LLVM.
 ... Or can LLVM libraries be strong dependency?
 ___
 Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
 Archives:http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
  mailto:wireshark-dev-requ...@wireshark.org
 ?subject=unsubscribe




-- 
  Fight Internet Censorship!
http://www.eff.org
http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon |
00447934365844
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] RFD: New language to write dissectors

[Jakub Zawadzki]

On Sun, Jul 15, 2012 at 10:28:23AM +0100, Tyson Key wrote:
 What about implementing a compiler that generates C dissector source code,
 from NPLt m, or WSGD dissector code? 

Yes, I plan to have one:

  But anyway we need compiler to C. For prototype (does it work?) and later
  as fallback for people who don't have LLVM.

 Or would that be overkill for what we're trying to do?

It depends what we're trying to do ;-)

For me compiler to C is must-have, and even if we write only it.
It'll help to fix some bugs, like yours bug #6520.
Translating 4K lines of NPL code to C looks stupid to me, and it'll be great to 
have
automatic translator.
(of course if we base grammar on NPL).

Later we could support interpreting (or JIT) NPL, which would make
easier (and much faster) developing new dissectors.

In next step we could generate dependency graph (field foo.B exists only
when field foo.A = 5, etc...) and field to offset (field foo.A @ 10B, field 
foo.B @ 20B)
or other informations which would speedup filtering.

(Or generate completely new code like Guy suggested).

and here we can start rewriting existsing old dissectors to new language.

Anyway, Lot of possible work, which some might be seen as overkill ;-)
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] RFD: New language to write dissectors

[Guy Harris]

On Jul 15, 2012, at 1:24 AM, Jakub Zawadzki wrote:

 On Sat, Jul 14, 2012 at 03:31:06PM -0700, Guy Harris wrote:
 
 I'm not sure it has to be a choice, though - we could implement both, 
 resources permitting, of course.  (And, of course, given that there are many 
 already-existing languages that describe protocols - ASN.1, {OSF 
 IDL/MIDL/PIDL} for DCE RPC, rpcgen for ONC RPC, CORBA IDL, xcb for X11 - we 
 will probably never have the One True Protocol Description Language.)
 
 I'd rather support one, and later have some compiler from language A to B.

Presumably by one you're referring to the choice between NPL and wsgd, given 
that we already *have* translators to take ASN.1, PIDL, CORBA IDL, and xcb and 
turn them into C dissectors.

 I was thinking to use LLVM. For built-in dissectors we could compile 
 dissectors to object file/ assembly, for user dissectors we'll benefit from 
 LLVM JIT.
 But anyway we need compiler to C. For prototype (does it work?) and later as 
 fallback for people who don't have LLVM.

...or who are using processors not supported as LLVM targets:

http://www.llvm.org/docs/CodeGenerator.html

 ... Or can LLVM libraries be strong dependency?

Not unless we drop support for OSes and instruction sets not currently 
supported by LLVM.
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] RFD: New language to write dissectors

[Richard Sharpe]

On Sun, Jul 15, 2012 at 2:20 AM, Jakub Zawadzki
darkjames...@darkjames.pl wrote:
 On Sun, Jul 15, 2012 at 10:28:23AM +0100, Tyson Key wrote:
 What about implementing a compiler that generates C dissector source code,
 from NPLt m, or WSGD dissector code?

 Yes, I plan to have one:

  But anyway we need compiler to C. For prototype (does it work?) and later
  as fallback for people who don't have LLVM.

 Or would that be overkill for what we're trying to do?

 It depends what we're trying to do ;-)

 For me compiler to C is must-have, and even if we write only it.
 It'll help to fix some bugs, like yours bug #6520.
 Translating 4K lines of NPL code to C looks stupid to me, and it'll be great 
 to have
 automatic translator.
 (of course if we base grammar on NPL).

Well, it might look stupid to you, but it represents a quick way to
get simplify the process of producing dissectors, and writing a
dissector is very boring.

When I wrote the initial SMB dissector I wrote a language to describe
the SMB protocol, and wrote a parser in Perl to parse the description
into an AST and spit out a dissector.

The same could be done with NPL, in my view, but it misses something
important. Compiling an NPL-described protocol into a Wireshark
dissector loses a lot of information.

On the other hand, having an NPL compiler would make it easier for
others to create new dissectors.

Of course, it would be useful if we had access to ParserLanguage.Doc.

In addition, to produce Wireshark C-based dissectors from NPL would
seem not to require LLVM. A simple recursive descent parser should
suffice.

 Later we could support interpreting (or JIT) NPL, which would make
 easier (and much faster) developing new dissectors.

 In next step we could generate dependency graph (field foo.B exists only
 when field foo.A = 5, etc...) and field to offset (field foo.A @ 10B, field 
 foo.B @ 20B)
 or other informations which would speedup filtering.

 (Or generate completely new code like Guy suggested).

 and here we can start rewriting existsing old dissectors to new language.

 Anyway, Lot of possible work, which some might be seen as overkill ;-)
 ___
 Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
 Archives:http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
  mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe



-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] RFD: New language to write dissectors

[Richard Sharpe]

On Sat, Jul 14, 2012 at 8:26 AM, Jakub Zawadzki
darkjames...@darkjames.pl wrote:
 Hi,

 It'd be great if we have some abstract and pure (no C/assembly inline) 
 language to write dissectors.

 We could invent yet another protocol desciption language, but I was thinking
 to base grammar on netmon NPL [1] or wsgd [2].
 I'm bigger fan of NPL (sorry Olivier), nmparsers project has got large 
 collection of dissectors[3]
 which we could use (LLTD - bug #6071, Windows USB Port packets - bug #6520, 
 netsh - bug #6694)
 but there might exists some legal (patents for grammar/implementation?!) 
 issues.

It is amusing that the document Writing a Parser from Wire to Window
contains this:

You can grab some HSRP sample captures from here:
http://wiki.wireshark.org/SampleCaptures. If you load one of those
files into Network Monitor (making sure to reload your parsers first),
you should now see packets labeled as HSRP with the Description
“HSRP”.

The document can be found here:

http://nmparsers.codeplex.com/downloads/get/53465


-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] RFD: New language to write dissectors

[Guy Harris]

On Jul 14, 2012, at 8:26 AM, Jakub Zawadzki wrote:

 It'd be great if we have some abstract and pure (no C/assembly inline) 
 language to write dissectors.

Or to describe protocols and the way packets for those protocols are 
displayed - the languages in question wouldn't be as procedural as C/Lua/etc, 
they'd be more descriptive.

 We could invent yet another protocol desciption language,

...but, as you suggest, we probably shouldn't.

 but I was thinking to base grammar on netmon NPL [1] or wsgd [2].

Those are probably the two best choices.

I'm not sure it has to be a choice, though - we could implement both, resources 
permitting, of course.  (And, of course, given that there are many 
already-existing languages that describe protocols - ASN.1, {OSF IDL/MIDL/PIDL} 
for DCE RPC, rpcgen for ONC RPC, CORBA IDL, xcb for X11 - we will probably 
never have the One True Protocol Description Language.)

 I'm bigger fan of NPL (sorry Olivier), nmparsers project has got large 
 collection of dissectors[3] 
 which we could use (LLTD - bug #6071, Windows USB Port packets - bug #6520, 
 netsh - bug #6694)
 but there might exists some legal (patents for grammar/implementation?!) 
 issues.

That would be one concern - even having our own language, such as wsgd, runs 
the risk of infringing a patent, but, well, *writing software of just about any 
sort* runs the risk of infringing a patent; however, we're dealing with a large 
corporation in the case of NPL, so there's probably a greater risk that some or 
all of it is covered by patents.  Were Microsoft to explicitly state that there 
are no patents on NPL-the-language or that they're granting a royalty-free 
license for all implementations (perhaps with a mutual assured destruction 
clause, so that were we to patent some feature of Wireshark and sue Microsoft 
for violating that patent, our license for their patents would terminate), and 
the same applied to any patents they hold on their implementation of NPL that 
would block independent useful implementations, that might help.

 With wsgd we could reuse some existing code of plugin.

...and we also have more freedom to extend the language, e.g. to support 
preferences for a protocol - Paul Long's blog post says

 A common problem: “No silly, we do HTTP traffic on port , not 80 or 8080!”
  
 While changing port mappings for protocols could be something revealed in the 
 user interface, we haven’t gotten that far in Network Monitor 3.0 yet.  I 
 expect we should address this specific problem on different fronts, i.e. a UI 
 for each protocol, and some way to handle dynamic port allocations.  And 
 there are also some heuristics we can use to identify protocols as well.  But 
 today, there is a fairly simple way to modify the NPL script for protocols on 
 non-standard ports.

I don't know whether, as of 3.4, they support a UI for each protocol, and some 
way to handle dynamic port allocations, but we already have the infrastructure 
for that.

NPL also, for strings, offers 3 encodings - to quote the help manual:

 This data type extracts a specified number of characters from a sequence of 
 bytes. The characters can be UTF-16, UTF-8, or ASCII, depending on the 
 encoding specified.

There's no mention of the Extended Binary-Coded Decimal Interchange Code there, 
but we have several dissectors using ENC_EBCDIC, so that would be another place 
where we might want to extend NPL were we to use it.

Were there an Open NPL Consortium of some sort where multiple implementers of 
NPL could propose extensions, and perhaps a way an implementation could offer 
private extensions without worrying about colliding with other implementations 
or future standards, that might help.

Note, by the way, that having a language of this sort could allow something 
such as this.

Consider a protocol with the following description (in a C-like protocol 
description language that I'm making up on the fly):

enum message_type {
Login = 0,
Logout = 1,
Request = 2,
Response = 3
};

struct login {
ascii string username[16];
ascii string password[16];
};

struct request {
uint32 bigendian requested_item;
};

struct response {
uint32 bigendian value_size;
uint8 value[value_size];
};

struct request {
protocol foo {
uint32 bigendian enum message_type type;
switch (type) {

case Login:
struct login login;

case Logout:
/* logout message has only a type */

case Request:
struct request request;

case Response:
struct response response;
}
uint32 bigendian message_id;
};

which might translate to