Writing External Protocol Filters

1. What Are They?

External filters take  a TCP data stream and produce some
kind of useful formatted output.  Normally you don't care
where the packet boundaries were when the data was transmitted.
If you do want to see them, you can select 'frames and data'
in the 'Follow Stream' menu.

2. How do you use it?  

Select 'Follow Stream' on the tcpview pulldown menu.  Select
either 'data' or 'frames and data' and the filter.  Click
on 'Filter'.

3. How do you write one?

A filter takes the data stream as stdin and write its decoded output
to stdout.  The data stream is in hexdump format with frame summaries.
To see what it looks like, select "Send data and frames to external
file (or window) with format hex".

The sample file hex.c takes care of converting this to binary, as
well as writing the frame summaries to stdout.  All you have you
do is call hexread() to read your data. 

int hexread( void *ptr, int len)

writes 'len' bytes of data to 'ptr'.  It returns 0 on
failure.  

SAMPLE PROGRAMS :

hex.c contains the code to read the hexdump formatted data.  Link 
this with your filter program.

generic.c is a very simply filter.  You can use it as a template for
starting larger programs.

bgp.c is a complete BGP decoder program. 







