View unanswered posts | View active topics It is currently Wed Nov 14, 2018 1:09 pm



Post new topic Reply to topic  [ 9 posts ] 
 Developer Information 
Author Message

Joined: Thu Feb 02, 2012 3:25 pm
Posts: 26
Reply with quote
Post Developer Information
I am interested in developing for Xplico. I have successfully built Xplico and installed. I am now in the process of developing a basic "hello world" dissector. Is there any additional information for developers on top of the wiki. I didn't see any forum topics regarding development. Things that I am interested in:

Detailed design documentation (more than what is on the Wiki)
- details on how the ip data is dissected, stored in the database, and viewed
- details of how each component interacts with each other
- details of the database schema
- details on how the dissectors work under the hood

Tutorial for creating new dissectors (or a good well documented sample dissector currently implemented)
- none of the dissector modules that i have looked at (ftp, tftp, http, dns, fbwchat) are well documented
- can you point me to one that is well documented that I can use as a better reference?

Looking at the source code there are references to dissectors in multiple files
- are any of these files auto-generated?
- is there a list of every file you need to modify to create a new dissector?


Wed Feb 08, 2012 7:15 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Developer Information
Quote:
I am interested in developing for Xplico.

What protocol do you like develop?


Wed Feb 08, 2012 9:54 pm
Profile WWW

Joined: Thu Feb 02, 2012 3:25 pm
Posts: 26
Reply with quote
Post Re: Developer Information
Quote:
What protocol do you like develop?

I haven't decided yet. Right now I'm just trying to figure out how to create a basic hello world type one. I'll try and write up some documentation on how to do it, if I can successfully get it working.


Wed Feb 08, 2012 10:14 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Developer Information
I can give you (=> do for you) a "hello world" dissector, but because in Xplico there can be various types of dissectors, so it would be useful to know if you want to develop a dissectort layer7 or a dissector "layer8" (ie. for exmaple over HTTP) or otherwise.

Ciao.
Gianluca


Thu Feb 09, 2012 6:22 pm
Profile WWW

Joined: Thu Feb 02, 2012 3:25 pm
Posts: 26
Reply with quote
Post Re: Developer Information
I didn't realized you responded to my last post! If you could provide an example dissector for a basic tcp based protocol that would be great. Or just help me along with the one that I am currently working on - that would be just as good. Below is the basic "helloworld" protocol that I am using. The protocol simply sends an 8 byte message. The protocol is denoted by two 16 byte fields at the start and end of the message as shown below.

TCP Socket connection:
helloworldstarts (16 byte protocol string)
<Message to be sent> (8 byte message)
helloworldending (16 byte protocol string)

Example:
Bytes sent over the wire: "helloworldstartsmessage1helloworldending"
Message being sent: "message1"

Can you explain how Xplico recognizes a protocol in a network dump? As I understand it, each dissector is a specific protocol that Xplico can identify. Dissectors can be created on top of different protocol layers as you mentioned in your previous post. However, I do not know how Xplico identifies a protocol and passes execution off to the diessector. I noticed some of the dissectors have a corresponding .pat file in "xplico-0.7.1\l7-patterns". However, not all dissectors have that. For example, there is no .pat file for arp or webmail.

Can you explain the flow of execution within Xplico? Which part of Xplico actually identifies a protocol in a network capture? The .pat file regular expressions? After a protocol is identified where does Xplico send the identification for further processing?

Currently, the files that I have modified are:
xplico-0.7.1\dissectors\helloworld\*
xplico-0.7.1\dispatch\lite\lite.c
xplico-0.7.1\dispatch\lite\lite.h
xplico-0.7.1\dispatch\cli\cli.c
xplico-0.7.1\dispatch\gearth.c
xplico-0.7.1\dissectors\Makefile
xplico-0.7.1\l7-patterns\helloworld.pat

If protocols are identified via regular expressions defined in the .pat files, where exactly in the code are these regular expressions loaded in and if one hits how does Xplico know how much data to pass to the corresponding dissector module (Most of the regular expressions seem to identify a set of bytes near the beginning of a protocol - but I can't find a pattern)?


Mon Feb 13, 2012 7:30 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Developer Information
Hi ipfrag,
the l7-patterns are used only by the garbage dissectors (tcp_grbg, udp_grbg) (to try) to classify the protocols that others dissector do not decode.

(One of) The bond between a dissector and the other is given by the function: ProtDep() this function define the (static) dependence.
If you want decode a protocol that use the tcp destination-port 657 then you must use this code (NOTE: inside DissecRegist):
Code:
    proto_dep dep;

    /* dep: tcp */
    memset(&dep, 0, sizeof(proto_dep));
    dep.name = "tcp";
    dep.attr = "tcp.dstport";
    dep.type = FT_UINT16;
    dep.val.uint16 = 657;
    ProtDep(&dep);


This is the easy way, without any type of control.

the dep.attr values can be all that you can see with:
Code:
./xplico -i tcp


Give me the time to give you the example code to decode your "helloworld" protocol, even with PIPI.

Ciao.
Gianluca


Mon Feb 13, 2012 8:28 pm
Profile WWW

Joined: Thu Feb 02, 2012 3:25 pm
Posts: 26
Reply with quote
Post Re: Developer Information
Thanks. In the mean time can you give me any more information on how Xplico recognizes a specific protocol in a .pcap network dump? Can you point me to the code that handles that in Xplico?


Mon Feb 13, 2012 8:58 pm
Profile

Joined: Thu Feb 02, 2012 3:25 pm
Posts: 26
Reply with quote
Post Re: Developer Information
I think I figured out some of what I was looking for. I wasn't spending much time looking at the actual dissectors in "xplico-0.7.1\dissectors". I just assumed the dissectors gained initial execution when the protocol was found and the dissectors would just make the raw network data meaningful. Now I realize that the dissectors themselves contain code to check / verify if a flow is its protocol. I just started looking into the "DissectInit" and "DissecRegist" functions. They seem like they will shed a lot of light on how dissectors interact with the Xplico Framework.

The "xplico-0.7.1\dissectors\telnet\telnet_example.c" is a good reference to use.


Tue Feb 14, 2012 9:04 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Developer Information
Very good.


Tue Feb 14, 2012 9:31 pm
Profile WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.