[Ethereal-dev] Packet details: Adding toplevel entries for reassembled TCP and alike?

[Ulf Lamping <ulf.lamping@xxxxxx>]

Hi List!

Currently often working with fragmented / segmented data in DCE-RPC /
TCP data, I'm facing real problems each time to get an idea which data
is coming from which packet layer etc..

It's not that I don't understand the way the protocols are working, but
it's really difficult to understand the representation on the screen.


For example, if an upper layer protocol (e.g. DCE/RPC) reassembles it's
data from the underlying TCP stream, you'll see the reassembled TCP in
the "Packet Bytes", but it took me quite some time to find the
information (deeply in the TCP tree) involved in the reassembling and
understand it correct.


As a way to display these things better, I'm thinking about adding
related top level tree items like the following between TCP and DCE RPC:

Frame 4823 (146 bytes on wire, 146 bytes captured)
Ethernet II, Src: 08:00:06:0f:49:75, Dst: 08:00:06:24:7c:ff
Internet Protocol, Src Addr: 10.120.235.62 (10.120.235.62), Dst Addr:
10.120.235.43 (10.120.235.43)
Transmission Control Protocol, Src Port: 1097 (1097), Dst Port: epmap
(135), Seq: 2917, Ack: 297, Len: 92
[Reassembled TCP Segments (144 bytes): #4822(52), #4823(92)]
DCE RPC Request, Fragment: Single, FragLen: 144, Call: 350748733 Ctx: 16
[Response in: 4917]


I've implemented a prototype (only a few changes required), and
experienced the following:
This will use some more space for the top level items, but it gives a
far better understanding how (and what) Ethereal had dissected and what
it's showing now.

Anyone with an even better idea how to display this?

Of course, this would also be useful for similar things like unzipped
HTTP data, fragmented DCE/RPC, ...

Regards, ULFL