Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-dev: [Wireshark-dev] Dissectors and parsing mode

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: "Chris Davies" <meiows@xxxxxxxxx>
Date: Sat, 8 Nov 2008 00:40:03 +0000

Hi,

I suspect this may be a stupid question, but I can only find vague
allusions to the answer in the archives of this mailing list so I'll
go ahead and ask it.

I'm writing my first dissector plugin (for Delay Tolerant Networking's
TCP convergence layer, if anyone is interested) and mostly everything
is going fine. I believe I have desegmentation all working correctly,
and my parser appears to work. However, I have something of a problem
with displaying tree items.

What seems to happen with my dissector is that when I load one of my
sample pcap files to test it out, my dissector is invoked for all the
relevant packets in order. However, at this stage although the
proto_tree* argument to the top level dissector function isn't null,
wireshark appears to ignore or deallocate any tree items I add at this
stage. Then when I click on one of the DTN packets in the Wireshark
GUI, my dissector function is called again just for that one packet
and this time the proto_tree* arg isn't null, and the tree items I add
show up. This is a bit of a problem for me, since really I want some
state information to know what sort of PDU I'm supposed to be parsing
from that particular packet. While I dare say I could examine the
first few bytes of the PDU and make a judgment about  what sort of PDU
it is, that isn't really how the protocol is supposed to work and
hence it isn't really how I'd like to parse it.

Now, the developer readme says "A protocol dissector can be called in
2 different ways... A protocol dissector can be called in 2 different
ways:
Wireshark distinguishes between the 2 modes with the proto_tree pointer..."

If I were getting a null tree pointer on the first run through, I'd
assume this was just how it was supposed to work and attempt to work
around my problems. That I'm getting a non-null pointer both times
does raise the possibility that I'm doing something wrong here.

Is this how dissectors are supposed to work?
Thanks,
     Chris.
  • Follow-Ups:
    • Re: [Wireshark-dev] Dissectors and parsing mode
      • From: Stephen Fisher
    • Re: [Wireshark-dev] Dissectors and parsing mode
      • From: Guy Harris
  • Prev by Date: Re: [Wireshark-dev] custom plugin dll - can it be dropped into another WS installation?
  • Next by Date: Re: [Wireshark-dev] Dissectors and parsing mode
  • Previous by thread: Re: [Wireshark-dev] Dissector for User Protocol
  • Next by thread: Re: [Wireshark-dev] Dissectors and parsing mode
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation