Wireshark · Ethereal-dev: Re: [Ethereal-dev] [RFC] specially mark protocol fields "generated" by Ethereal?

[Ian Schorr <ethereal@xxxxxxxxxxxxx>]

On Apr 24, 2004, at 1:26 PM, Michael Tuexen wrote:

> Hi,
>
> it is an interesting question. I was assuming that in the middle pane 
> the
> protocol fields are displayed in the sequence they appear in the packet
> (and related to the layer in the stack).

This is generally true, but totally depends on whether the dissector 
was implemented that way.  I'd say it's also a general practice that if 
a field refers to "real data" in a packet, that the byte(s) matching 
that range are highlighted when the field is selected - in that way you 
can see which bytes are related to a particular field.  This also means 
that if no bytes are marked a user can often infer that there are no 
bytes in the packet that are being directly decoded to generate a 
particular field (and that this is most likely a "synthetic" field).

The dissectors I'm very familiar with all tend to do this, but there's 
definitely no hard and fixed rule, or any code requirement.  I don't 
think these are even documented in the README.developer as general 
"good practices" or "conventions" when building a dissector.  Perhaps 
they should be?