View unanswered posts | View active topics It is currently Mon Jun 17, 2019 9:22 pm



Post new topic Reply to topic  [ 41 posts ]  Go to page Previous  1, 2, 3, 4, 5
 Questions about PEI format/purpose; extracting info from PEI 
Author Message
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Questions about PEI format/purpose; extracting info from
Hi Kizzo,
Quote:
Is there any way to detect a TCP open/connect in this way?

This task is done by TCP dissector. Each stream (thread) delivered to a dissector over TCP is a TCP stream.
Not all packages are delivered to the dissectors above TCP, but only the SYN packets and non-empty packets. The packets ordering (by sequences numbers) is guaranteed, also the absence of (any type of) repetition and the reporting of lost data.
Quote:
And what about TCP opens/connects later on in the traffic stream? How do you detect those?

It is the TCP dissector that make it.
Quote:
My current solution seems to only tell me when the first SYN occurred - not any later ones, if any. Maybe that's something I'll figure out after I figure out the above problem.

If FTP have a flow then this is a stream and it start by SYN, SYN/ACK, ACK, but not all packet are sent to FTP (or other dissectors). Xplico is not a protocol analyzer like Wireshark, it does not focus on the packets but on the information (application) carried.
The PEI is not intended to describe each packet of a protocol, not every message of a protocol but only macroscopic information (eg HTML page, or VoIP call , channel in a chat) carried by the protocol.

Quote:
One definition I propose: A PEI is constructed from whatever data a dissector chooses to dissect from each packet given to it. For each piece of data that the dissector considers to be important about a packet, it will represent it as a PEI component of the overall PEI for this packet.

A PEI is constructed from whatever data a dissector chooses to dissect from each packet or stream given to it. For each piece of data that the dissector considers to be important about a packet or stream, it will represent it as a PEI component of the overall PEI for this packet or stream.
The aim is to extract the information exchanged (by users) with the protocol, no protocol analysis. Then the PEI and its components is the container of this information.

I do not have much time to respond, I do better when I get back from vacation.

Ciao.
Gianluca


Thu Aug 19, 2010 9:33 am
Profile WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 41 posts ]  Go to page Previous  1, 2, 3, 4, 5


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.