1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
IDEA STAGE - 04/2013
Add an option to Wireshark (libwireshark / epan) to give hability to dissectors
to dechunk frames, by creating multiple fake frames each containing part of the
data from one frame.
Goal is to dechunk SCTP and TCAP on the fly.
===============================================================================
Options presented to Wireshark / tshark
* dechunk SCTP (default True)
* dechunk TCAP (default True)
* save PCAP as dechunked (default False)
===============================================================================
Code: Insert fake dechunked frames instead of chunked frame
file.c:
add_packet_to_packet_list(frame_data *fdata, capture_file *cf,
dfilter_t *dfcode, gboolean create_proto_tree, column_info *cinfo,
struct wtap_pkthdr *phdr, const guchar *buf,
gboolean add_to_packet_list)
after epan_dissect_run_with_taps(&edt, phdr, buf, fdata, cinfo);
if edt.fake_frames:
for each edt.fake_frame:
packet_list_append(cinfo, fdata, &edt.pi);
Data passed in frame_data (epan/frame_data.h)
New methods from frame list manipulation in frame_data_sequence.c
Actual Callgraph
read_packet
frame_data_sequence_add
add_packet_to_packet_list # target function
epan_dissect_run_with_taps
dfilter_apply_edt
packet_list_append
rescan_packets
add_packet_to_packet_list # target function
===============================================================================
Code: Create fake dechunked frames from chunked frame
epan/dissectors/packet-sctp.c
dissect_sctp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
pinfo->fd (frame_data)
|
