Ethereal network protocol

The increasingly comprehensive Internet functions have also led to the complexity of network protocols. For more than 500 protocols recognized by the Ethereal network protocol, the hierarchical relationship between the Protocol and the Protocol is obvious. This enables layer-by-layer processing of protocols in data streams. The Ethereal system uses the Protocol tree. Is a simple protocol tree. If all data of Protocol A is encapsulated in Protocol B, protocol A means that Protocol B is the son node of another protocol. We use the unstructured data stream at the lowest layer as the root contact. Then the protocol with the same parent node becomes a sibling node. So how are these sibling node protocols with the same parent protocol differentiated from each other? The Ethereal system uses the feature words of the protocol for identification. Each Protocol registers its own feature words. These feature words provide differentiated identities for their subnode protocols. For example, after the tcp port field is registered. Tcp. port = 21 can be considered as the ftp protocol, and the feature word can be any field defined by the protocol specification. For example, the IP protocol can define the proto field as a feature word.

Registering a Protocol Parser in Ethereal first points out what its parent protocol is. In addition, it also points out that it is different from the characteristics of the sibling connection protocol under the parent node. For example, the ftp protocol. In the Ethereal network protocol, its parent contact is tcp, which is characterized by the port field of tcp is 21.

In this way, when a tcp data stream with port 21 comes. First, it is handled by the parsing module registered with the tcp protocol. After processing, find the sub-protocol under your own protocol through the Protocol tree and determine which sub-protocol should be used for execution, after finding the correct sub-protocol, it will be transferred to the ftp-registered parsing module for processing. In this way, the root node starts layer-by-layer parsing.

Because of the Protocol tree and Feature Word design, this system is highly scalable in Protocol parsing, to add a Protocol Parser, you only need to attach the parser function to the corresponding node of the Protocol tree.

Plug-in-based protocol analyzer

The so-called plug-in technology is to divide the entire application into two parts: the Host Program and the plug-in. The host Program and the plug-in can communicate with each other, when the host program remains unchanged, you can increase or decrease the plug-in or modify the plug-in to adjust the functions of the application. Plug-in technology can be used to develop highly scalable and easy-to-maintain applications. Its well-known application examples include: Media Player winamp and Microsoft's Internet Browser IE.

Due to the wide variety of network protocols, common protocol analyzers use plug-ins to add new protocol analyzers at any time, in this way, if you need to analyze a new protocol, you only need to develop this protocol analyzer and call the registration function to register it in the system. By adding plug-ins, the program is highly scalable and various functional modules are integrated.

Adding a new protocol plug-in to the protocol analyzer usually requires plug-in installation or registration, plug-in initialization, and plug-in processing, the following uses the Ethereal network protocol as an example to analyze how to use the plug-in technology to add a new protocol analysis module.

Due to the plug-in technology used by Ethereal, a new developer does not need to understand all the code when developing a new protocol analysis module. After writing the functions of this protocol module, write a function in the format of proto_reg_handoff_XXX. Call the register function in the function to tell the system when to call this protocol module. For example

You have written a protocol parsing module named dissect_myprot, which is used to parse data with tcp port 250. You can use these statements to register the parser to the system.

 
 

  
  
proto_reg_handoff_myprot(void)  
  
  
{dissector_handle_t myprot_handle;  
  
  
myprot_handle = create_dissector_handle(dissect_myprot,proto_myprot);  
  
  
dissector_add("tcp.port", 250, myprot_handle);} 
 
 

This code tells the system to call the dissect_myprot function module when the tcp Data Stream port is 250.

In Ethereal, there is a role book dedicated to discovering registration function names such as proto_reg_handoff_xxx defined by developers, and then automatically generate code to call these registration functions. In this way, developers do not need to know how their registered functions are called. Then a new protocol analysis module is added to the system.

Due to the plug-in method, the sound structure design of Ethereal allows developers to focus only on their own developed protocol modules, without the need to care about the entire system structure, to integrate a module into the system, you only need to write a registration function. The script automatically completes calling this registration function during initialization. It is precisely because of the good architecture that this system can develop so many protocol Resolvers.

Although Ethereal is currently the best open-source network analysis system, Ethereal still has some improvements, an excellent network analyzer, as much as possible, correct analysis of data protocols and efficient data processing are two important indicators. In terms of protocol recognition, most Ethereal uses port recognition, and a small number of protocols use content recognition. This makes the protocol data of some non-standard ports not correctly parsed. For example, if the ftp protocol is not port 21, Ethereal cannot be identified and can only process data as tcp. In addition, content recognition. The Ethereal network protocol is used to form an entry table for content recognition functions. Each time protocol data requires content recognition, each recognition function in the table is called alphabetically. For example, for the yahoo massanger protocol. It mainly depends on whether the first few bytes of data are 'ymsg '. Because the protocol name starts with y. Therefore, when the Protocol is identified, all the content recognition functions have been called. These are because Ethereal does not implement the tcp protocol stack and cannot achieve stream-level recognition. This may cause some defects in protocol identification.