Re: [Ethereal-dev] RFC framework for graphical extensions like t he recent rate_

[Jason House]

Unfortunately, I have been unable to share my work on extending ethereal with the general developer community.  I hope to be able to use the recent push for graphing as a window to share some of the work that I've done.  I won't know if I can share anything until late next week at the earliest, but I still want to share what kind of implementation I've done in the hope that it will help with the conceptual development... and hopefully pave a way to allow some of my stuff to get incorporated into the core ethereal source.   It is currently based on STL, but I know that glib provides similar functionality and that this stuff could be ported over with some effort.

Now that I've gotten that out of the way...
In a nutshell, I've merged protocol hierarchy statistics with graphing/rate graphing capabilities.  I didn't just do protocol hierarchy statistics though... I tried to adopt a more generic structure.  I adopted a hierarchical structure for accessing data to graph, exactly what was in the hierarchy was left open.

Before I describe implementations that I've used, I want to give some examples of just what kind of information was held in the hierarchy...
Here is a snippet from my current config file
(reformatted a bit to look right in my e-mail editor... probably terrible in other editors...)
TABLE
NAME      IP_SRC_DST
ID        9
KEY       ip.src
KEY       ip.dst
VALUE     ip.len
PLOT      YES
ENABLE    YES
this generates a hierarchy with 2 levels (beyond separation by table ID)
You can access graphs by looking just at the source ip address  (graphs currently are rate graphs, packet size histograms, and mean value per time interval)  You can also access graphs by looking at the source ip address + destination ip address pair.  I currently restrict the VALUE to be any numerical filterable field.  The KEY fields are fvalue_t and can be any filterable field in ethereal.

I've added a bit of code to find when a packet is first being dissected  (generally in the file load stage or "update list of packets in real time"...)  My method was to walk the tree generated by the ethereal dissectors.  I've even implemented a browsing of the tree that conforms with stuff such as OSPF's LSA's.  (I also have modified packet-ospf to have some filterable fields... I have not submitted the patch for that yet, but do plan to do so soon)  The graphs/summaries can be displayed in both ethereal and tethereal.  Ethereal has a gtk implementation that it uses for displaying the hierarchical information.  It is currently based on a list instead of a tree, but has a set of boxes to specify what to show in the list...  Graphing in ethereal is done with a modified version of gtkfigure.c... something I found online.  The original author does not reply to e-mails... :(  I like it because it makes matlab-like plots...  Tethereal writes tables to files.  What it puts in the table has an analogous structure to the the list in ethereal.  The "what to show" filters are the same...  Tethereal also writes out time series data to a file which I then can open/analyze in matlab...

I also have an older, less well integrated form of this stuff, but I won't describe it here...