An iSCSI expert system for wireshark

Discussion:

Richard Sharpe

2010-01-20 02:17:43 UTC

Hi core developer,
I’m a member of Inventec Tianjin Company. We write an iSCSI expert
1. An iscsi PDU analyzing expert system with about 50 rules. The system can
detect protocol error like StatSN less than ExpStatSN, Login response CSG
bad value, etc.
2. An enhanced iscsi dissector which based on packet-iscsi.c
3. An iscsi expert information dialog which displays the expert system
detecting result, iscsi session/connection topology tree and iscsi
parameters.
4. An iscsi flow dialog which displays the iscsi PDU sequence, iscsi
session/connection topology tree and iscsi statistics information.
The attachments are the snapshot of the expert information dialog and iscsi
flow dialog.
1. Epan\dissectors\Packet-iscis.c - enhanced iscsi dissector
2. Epan\dissectors\iscsiexpert-rules.c - included by packet-iscsi.c
for expert system rules
3. Gtk\iscsiexpert_dlg.c - expert information dialog
4. Gtk\iscsiexpert_stat.c - iscsi flow dialog
We want our dissector and dialog be included in the main wireshark
1. Is it possible?
2. May we just send a patch based on packet-iscsi.c or we need send a new
file named packet-iscsiexpert.c for the iscsi dissector? If use
packet-iscsiexpert.c, we need add a new protocol iscsi[E] and need enable
iscsi[E] and disable iscsi manually.
Thanks for your time.

Hmmm, this is interesting.

Can you send it to me please ... I have been wanting to do some work
on the iSCSI dissector for a while, and this sounds interesting.

--
Regards,
Richard Sharpe
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

jimmy wang

2010-01-20 02:13:40 UTC

Permalink

Hi core developer,
Im a member of Inventec Tianjin Company. We write an iSCSI expert
system based on wireshark. The main features of the system include:
1. An iscsi PDU analyzing expert system with about 50 rules. The system can
detect protocol error like StatSN less than ExpStatSN, Login response CSG
bad value, etc.
2. An enhanced iscsi dissector which based on packet-iscsi.c
3. An iscsi expert information dialog which displays the expert system
detecting result, iscsi session/connection topology tree and iscsi
parameters.
4. An iscsi flow dialog which displays the iscsi PDU sequence, iscsi
session/connection topology tree and iscsi statistics information.
The attachments are the snapshot of the expert information dialog and iscsi
flow dialog.

The expert system include the follow source file:
1. Epan\dissectors\Packet-iscis.c - enhanced iscsi dissector
2. Epan\dissectors\iscsiexpert-rules.c - included by packet-iscsi.c
for expert system rules
3. Gtk\iscsiexpert_dlg.c - expert information dialog
4. Gtk\iscsiexpert_stat.c - iscsi flow dialog

We want our dissector and dialog be included in the main wireshark
distribution. Could you please give me some suggestion:
1. Is it possible?
2. May we just send a patch based on packet-iscsi.c or we need send a new
file named packet-iscsiexpert.c for the iscsi dissector? If use
packet-iscsiexpert.c, we need add a new protocol iscsi[E] and need enable
iscsi[E] and disable iscsi manually.

Thanks for your time.

Jimmy

jimmy wang

2010-01-20 09:37:40 UTC

Permalink

Hi RichardïŒ
We are very glad for your reply. The attached patch is the iscsi analyzing
system for wireshark 1.2.2. In this patch the iscsi[E] dissector is
implemented as a new file packet-iscsiexpoert.c, you need disable iscsi and
enable iscsi[E] to test it. The development platform is MS Windows and No
strict testing has been made. Just send it to you for evaluate. Please feel
free to give us your suggestion.

BS.
Jimmy

Richard Sharpe

2010-01-20 18:29:46 UTC

Permalink

Hi Richard，
We are very glad for your reply. The attached patch is the iscsi analyzing
system for wireshark 1.2.2. In this patch the iscsi[E] dissector is
implemented as a new file packet-iscsiexpoert.c, you need disable iscsi and
enable iscsi[E] to test it. The development platform is MS Windows and No
strict testing has been made. Just send it to you for evaluate. Please feel
free to give us your suggestion.

OK, thanks. It might take me a couple of days to do this.

BS.
Jimmy
___________________________________________________________________________
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev

--
Regards,
Richard Sharpe
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-***@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-***@wireshark.org?subjec

Guy Harris

2010-01-20 19:08:37 UTC

Permalink

We are very glad for your reply. The attached patch is the iscsi analyzing system for wireshark 1.2.2.

Have you looked at whether the existing Wireshark call for adding "expert information" to packets (expert_add_info_format()) could be used by your expert info system? If not, is there anything that we should add to the existing mechanism so that your code could use it?
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

jimmy wang

2010-01-21 03:59:37 UTC

Permalink

We did use the expert_add_info_format in our expert info system. It is a
excellent function obviously. But because we need to add some private
information to use later in expert_info_t structure, for avoiding to modify
your expert_info_t struct, we add a new scsiexpert_expertdata_info_t
structure as follows and wrote a new function
iscsiexpert_add_info_to_analyzer_tap:

typedef struct iscsiexpert_expertdata_info_s {
guint32 packet_num;
int group;
int severity;
gchar * protocol;
gchar * summary;
proto_item *pitem;
gboolean direction;
guint8 opcode;
iscsiexpert_session_t * conn;
} iscsiexpert_expertdata_info_t;

Obviously, it is from your expert_info_t structure.
Could you add the private data pointer in your expert_info_t structure? Such
as:

typedef struct expert_info_s {
guint32 packet_num;
int group;
int severity;
gchar * protocol;
gchar * summary;
proto_item *pitem;
gpointer priv_data;
} expert_info_t;

So, we can modify our code to use your expert_info_t struct.
Thanks for your reply again.

Richard Sharpe

2010-01-20 20:55:57 UTC

Permalink

Hi again Jimmy.

What does Tianjin Inventec do? That is, what products etc does it work on?

I work for Data Robotics, and we have an iSCSI based product, and I
was an early core Wireshark developer back when it was called
Ethereal. Your changes will be very helpful to us, so I will try to
look at them soon.

Also, my family and I are currently planning a trip to China in June.
I might be able to spend some time in Tianjin, since it is not far
from Beijing.

jimmy wang

2010-01-21 03:24:23 UTC

Permalink

Hi Richard,
Tianjin Inventec(http://www.inventectj.com) is one software development
center of Inventec, its products include storage system, server value-add
software, manufacturing assistant system, etc. The wireshark iscsi team is
in the Storage department. We work on iSCSI based SAN array, NAS and storage
test systems... We use wireshark in our work almost every day and it is very
useful. Many thanks for all your guys excellent work.

It will be very wonderful if you can come to Tianjin, I will introduce our
development team to you then.

Jimmy

Richard Sharpe

2010-01-21 03:41:12 UTC

Permalink

Post by jimmy wang
Hi Richard,
Tianjin Inventec(http://www.inventectj.com) is one software development
center of Inventec, it’s products include storage system, server value-add
software, manufacturing assistant system, etc. The wireshark iscsi team is
in the Storage department. We work on iSCSI based SAN array, NAS and storage
test systems... We use wireshark in our work almost every day and it is very
useful. Many thanks for all your guys’ excellent work.

Thanks for your reply ... I am not sure if I sent you our web site's
URL or not: www.drobo.com

I also work on iSCSI storage and NAS systems (and am a Samba team member).

Post by jimmy wang
From your description above it seems that you work on test systems. Is

that true?

Richard Sharpe

2010-01-21 04:04:07 UTC

Permalink

Yes, I'm working on iSCSI protocol test tool now.

One of the things that would be useful is an extension to your tool
that provides performance data in the form of graphs or tables showing
you:

- Read throughput for each LUN
- Write throughput for each LUN
- Latency
- Etc

Graphs can be very useful because they can help pinpoint dips in
throughput and so forth. Ie. if you are not sending enough R2Ts or
there are long delays between the initiator sending immediate data and
the first R2T being received from the target, and so forth.

jimmy wang

2010-01-21 03:53:26 UTC

Permalink

Yes, I'm working on iSCSI protocol test tool now.