On Mon, Aug 12, 2002 at 12:02:54PM -0400, Gautham Thavva wrote: > I am confused about what the PARENT_SUBFIELD and ID_VALUE should be. > I thought that the PARENT_SUBFIELD should be udp.proto (like ip.proto) > I couldn't find udp.proto.
The IP header has a field that specifies the protocol that's being used on top of IP. There are only a small number of protocols that run *directly* atop IP (e.g., TCP, UDP, ICMP, OSPF, SCTP), so it's reasonable to assign numbers to those protocols. Furthermore, the model is that there is, on a given network endpoint, only one TCP implementation, only one UDP implementation, only one ICMP implementation, etc., so you don't need to identify which particular TCP, etc. instance is sending the packet or to which TCP, etc. instance the packet is being sent. However, for TCP and UDP, there is no such small set of protocols, *and* there can be multiple instances endpoints for a given protocol - e.g., you could have multiple programs running on a machine sending mail over SMTP, and you could have multiple server processes on a machine accepting that mail - so there's no "protocol ID" field in the TCP or UDP header. Instead, there are "source port" and "destination port" fields, which identify the endpoints. Sometimes a particular port number is assigned to a protocol, and that port number is used for *one* of the endpoints. If there's a particular port number assigned to LAPV-over-UDP, you would use "udp.port" as the PARENT_SUBFIELD and the port number as the ID_VALUE. If there *isn't* a particular port number assigned to LAPV-over-UDP, it's not that easy. Ethereal can't magically intuit what a particular port number is being used for; at best, it can try to *guess* what the port number is being used for by looking at the packet's contents. If that's possible with LAPV-over-UDP (I know nothing about LAPV, so I have no idea whether that's feasible), you'd write a heuristic dissector. If that's *not* possible with LAPV-over-UDP, you'd have to add a protocol preference for LAPV-over-UDP that specifies the port number.
