On Sun, Mar 11, 2001 at 09:17:18PM +0100, Guillaume Le Malet wrote:
> In my proto working above TCP, I've got two different
> packets (that don't mean the same thing) but they have the
> same lenght (4 bytes) and the same king of data inside (1,
> 2 or 3). The only thing that makes the difference is the
> moment of their creation.
I assume by "moment of their creation" you don't mean the time stamp of
the packet, but mean the packets that came before that packet in the
conversation.
If so, then you'd need to, in the first pass through the packets,
maintain, in your dissector, private data structures to keep track of
the state of the conversation, and interpret the contents of the packets
in different ways depending on the state of the conversation.
You would *also* have to attach to each frame enough information to
allow you to correctly interpret the contents of that frame the next
time that frame is dissected, as there's *no* guarantee, after the first
sequential pass through the packets, that the packets will be accessed
in any particular order - users can click on packets in whatever order
they want.
See "packet-bxxp.c" and "packet-smtp.c" for code that does this sort of
context-sensitive dissection.
