Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] flagging gaps in sequence

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 18 Jul 2008 16:43:51 -0700

On Jul 16, 2008, at 8:39 PM, Barnes, Pat wrote:

If you use a local static variable in the dissect_yourprot() function, it will store the number across packets.

...even if the packets across which it stores the number are from completely different sequences.

You need to use conversations and have the sequence number be per- conversation; see doc/README.developer for information on how to use conversations.

Furthermore, when a packet is dissected, the local static variable - or the per-conversation sequence number - will be the sequence number of the last dissected packet; except on the first pass through the packets, when the capture is being read, there is *NO* guarantee that the last dissected packet will be the one preceding the packet being dissected. Therefore, you also need to store per-packet information - if there's a sequence number gap between a given packet and the preceding packet, you have to store per-packet information noting that and, if a packet has already been visited (pinfo->fd->flags.visited is true), check for per-packet information for your protocol and, if it's present, display that as a sequence number gap, otherwise don't indicate any sequence number gap. See doc/README.developer for documentation on per-packet information.