Jeff, thank you for you reply. 2011/4/29 Jeff Morriss <[email protected]>: > Max wrote: >> >> For now I use "global" conversation state for dissection if the packet >> has no proto data associated with it, otherwise I use state from >> associated data which >> stores the state before first packet dissection was done. Am I right >> doing such things? > > Do you mean you try to use data from the stored conversation state (ala > README.request_response_tracking) and if that does not exist then fall back > to a global variable? I think normally the fallback to not having the > conversation data is to just assume it's the first packet (decode it as such > and then create a conversation structure). But maybe I misunderstand your > question.
I do in the following way: 1) if no conversation data is associated with my proto, I assume that it is the first packet. 2) if I have conversation data, but no proto data associated with the packet, I use conversation data's phase to dissect the packet. if dissection succeeds than I save old phase information into the packet's proto data and update the conversation's phase. 3) if the packet has proto data, I use its phase to dissect the packet. Conversation state is not updated in that case. > >> The next problem is decryption and decompression. I've read how this >> should be done, but I have not found any info regarding the following >> moments: >> >> 1) Whether decryption and decompression should be done every time the >> dissector is called? Or there is way to figure out that it was already >> done? > > I don't know how it's normally done, but I think the only way you'd know if > it had already been done is if you stored the result of the decryption in a > dissector-specific structure in a way that you can easily find it again. I > suspect, though, that normally the decryption is redone each time it is > needed. I looked through SSL dissector. It decrypts packet only during first dissection and keeps allocated buffer in packet's proto data. But the child tvbuff is created every dissection for this buffer. > >> 2) How to run dissector on the decrypted tvbuff? Should it be done >> manually or Wireshark does this itself? > > You need to do that manually: once you have the decrypted data in a (new) > TVB you need to call a (sub)dissector on it. Yep! >> 3) If it is supposed that decryption is done every time the dissector >> is called, how then should I keep the decryption cipher context? >> Cloning and storing cipher context for every packet may cost a lot >> of memory, and AFAIK libgcrypt doesn't provide any means >> to clone the context (cipher handle). > > I can't even hazard a guess on this one... Since the decryption is done only once, the problem is absent. -- Max ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
