Writing Security Tools and Exploits

Now that you understand Ethereal and the full potential of the application, you should be able to code for it. If you have an application that deals with network interfaces, you can use libpcap to capture packets and save them to a file. text2pcap is a tool that converts hex dumps to the pcap format. You have seen the range of hex dump formats that text2pcap will accept, and how to produce a hex dump format from another file. Finally, you learned how to extend the wiretap library so that Ethereal can read a new file format natively, and also saw a practical example of how to reverse engineer a packet capture file format for which you had no documentation.
Ethereal has maintained a C-based dissector approach that each protocol is different. Some protocols need to save state between packets, others need to gather bits across multiple bytes and combine together into a single field. Protocols do many strange things. By understanding the basics of Ethereal protocol dissection, including the low-level routines and the advanced routines, you will be able to handle any of the peculiarities a protocol may offer.
You have seen multiple methods of producing the same report from the dissection that Ethereal produces: a line-mode tap module, a GUI tap module, a series of grep and awk commands to process a packet summary, a Python program to parse Tethereal's verbose output, and finally, a Python program to parse the PDML...