wireshark_dechunk: IDEAs on dechunking in Wireshark

1 files changed, 48 insertions, 0 deletions

diff --git a/wireshark_dechunk/README.txt b/wireshark_dechunk/README.txt
new file mode 100644
index 0000000..1635ce3
--- /dev/null
+++ b/wireshark_dechunk/README.txt
@@ -0,0 +1,48 @@
+IDEA STAGE
+
+Add an option to Wireshark (libwireshark / epan) to give hability to dissectors
+to dechunk frames, by creating multiple fake frames each containing part of the
+data from one frame.
+
+Goal is to dechunk SCTP and TCAP on the fly.
+
+===============================================================================
+Options presented to Wireshark / tshark
+
+* dechunk SCTP (default True)
+* dechunk TCAP (default True)
+* save PCAP as dechunked (default False)
+
+===============================================================================
+Code: Insert fake dechunked frames instead of chunked frame
+
+file.c:
+add_packet_to_packet_list(frame_data *fdata, capture_file *cf,        
+    dfilter_t *dfcode, gboolean create_proto_tree, column_info *cinfo,
+    struct wtap_pkthdr *phdr, const guchar *buf,                      
+    gboolean add_to_packet_list)                                      
+
+after epan_dissect_run_with_taps(&edt, phdr, buf, fdata, cinfo);
+if edt.fake_frames:
+  for each edt.fake_frame:
+    packet_list_append(cinfo, fdata, &edt.pi);
+
+Data passed in frame_data (epan/frame_data.h)
+New methods from frame list manipulation in frame_data_sequence.c
+
+Actual Callgraph
+read_packet
+  frame_data_sequence_add
+  add_packet_to_packet_list # target function
+    epan_dissect_run_with_taps
+    dfilter_apply_edt
+    packet_list_append
+rescan_packets
+  add_packet_to_packet_list # target function
+
+===============================================================================
+Code: Create fake dechunked frames from chunked frame
+
+epan/dissectors/packet-sctp.c
+dissect_sctp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
+pinfo->fd (frame_data)