updated and improved firebird wire protocol dissector

This issue was migrated from bug 3749 in our old bug tracker.

Original bug information:

Reporter: Mark Chambers
Status: RESOLVED FIXED
Product: Wireshark
Component: Dissection engine (libwireshark)
OS: All
Platform: All
Version: 1.3.x (Experimental)

Attachments:

packet-gdsdb.c.diff: patch for packet-gdsdb.c
SampleGDSDBCapturex: sample capture file containing GDSDB traffic

Mark Chambers said:

Created attachment 3360 patch for packet-gdsdb.c

Build Information: wireshark 1.3.0 (SVN Rev 28690)

Copyright 1998-2009 Gerald Combs <gerald@‍wireshark.org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.16.1, with GLib 2.20.1, with libpcap 1.0.0, with libz 1.2.3.3, without POSIX capabilities, without libpcre, without SMI, without c-ares, without ADNS, without Lua, without Python, without GnuTLS, without Gcrypt, without Kerberos, without GeoIP, without PortAudio, without AirPcap. NOTE: this build doesn't support the "matches" operator for Wireshark filter syntax.

Running on Linux 2.6.28-13-generic, with libpcap version 1.0.0.

Built using gcc 4.3.3.

updated and improved firebird wire protocol dissector

added enhancement libwireshark versiondev labels

Bill Meier said:

1. I'd appreciate a summary of the changes and improvements. (I haven't yet looked at the patch).

2. Can you provide a capture file containing GDS-DB traffic ?

Thanks !

Mark Chambers said:

Created attachment 3442 sample capture file containing GDSDB traffic

Mark Chambers said:

Improvements:

1. GDSDB packets contain one or more, full or partial messages. The old
dissector only attempted to decode the first message in a packet. The new
dissector attempts to decode all the messages in a packet.

2. There are about 80 message types defined in the protocol. The old dissector
didn't attempt to decode all of them. The new dissector does.

3. Each message contains several fields. The old dissector didn't attempt to
show many of these fields. The new dissector does.

Known Problems:

1. GDSDB messages are not self describing and the length of the data is very
difficult to determine just by looking at an individual packet. Unfortunately,
the  "fetch  response" message (which contains the actual data returned by an
sql query) is one of these.  In order to decode it, information from a previous
message (the "prepare response") needs to be remembered and matched against at
he multiple following "fetch response" messages.  The format of the data for
both the description in the "prepare response" and "fetch response" is not
described anywhere except deep in the firebird source code.

As a result of this, the dissector cannot currently decode "fetch response"
messages and gets confused about messages that follow it. Both the old and new
dissectors suffer from this but it is more of a problem in the new dissector
because it tries harder to actually decode following messages.

This confusion can result in garbled messages, dissector exceptions and
hangups.

2. Follow on messages (ie. the ones that you use DESEGMENT_ONE_MORE_SEGMENT to
handle) are not processed correctly. Theoretically, this can be fixed, but it
doesn't work the way I expected it to and due to the problems outlined in (1),
there doesn't seem to be much point.

Summary

On reflection, I am not happy at all with the state of this dissector. You get
a better (although still incomplete) picture of what is going on with the new
dissector than the old one but at the expense of dissector exceptions and
hangups. Should it be included? I don't know.

Jaap Keuter said:

(In reply to comment #3)  
> Summary  
>  
> On reflection, I am not happy at all with the state of this dissector. You get  
> a better (although still incomplete) picture of what is going on with the new  
> dissector than the old one but at the expense of dissector exceptions and  
> hangups. Should it be included? I don't know.  

Hmmm, exceptions and hangups disqualifies it for inclusion right now.

On the request response tracking, there's a README on that. Have you checked it for inspiration?

Mark Chambers said:

(In reply to comment #4)  
> (In reply to comment #3)  
> > Summary  
> >  
> > On reflection, I am not happy at all with the state of this dissector. You get  
> > a better (although still incomplete) picture of what is going on with the new  
> > dissector than the old one but at the expense of dissector exceptions and  
> > hangups. Should it be included? I don't know.  
>  
> Hmmm, exceptions and hangups disqualifies it for inclusion right now.  

Understood. I'll just have to keep working on it.

>  
> On the request response tracking, there's a README on that. Have you checked it  
> for inspiration?  
>  

Thanks. I hadn't seen it and it looks very useful.

Bill Meier said:

Comment on attachment 3360 patch for packet-gdsdb.c

(Attachment marked as 'not accepted' as per comment #‍4)

Gerrit Code Review said:

Change 8494 had a related patch set uploaded by Michael Mann: Improve Firebird/Interbase dissector.

https://code.wireshark.org/review/8494

Gerrit Code Review said:

Change 8494 merged by Michael Mann: Improve Firebird/Interbase dissector.

https://code.wireshark.org/review/8494

closed