Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Ethereal-dev: Re: [Ethereal-dev] Bug in the filtering system ?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Martin Regner" <martin.regner@xxxxxxxxx>
Date: Thu, 8 Jul 2004 19:44:51 +0200
Sid Sid wrote:
> I've found strange behavior of the ethereal when I tryed to analyse captured 
> file(see attached file). This is FTAM connect accept pdu so there are 
> several pdus TPKT/COTP/SES/PRES/ACSE/FTAM.
> If I don't use filtering(the filter window is empty) the ethereal show me 
> 'PRES'(it's wrong) in protocol column but I can see FTAM details in the 
> 'packet details' window.
> 
> If I use as filter any of protocol names(TCP,TPKT,COTP,SES ... FTAM) 
> ethereal begins to show me correct protocol name(FTAM, in our case).
> 
> Can anybody explain me what is wrong ?
> 

I think that the problem is that PRES dissector doesn't call ACSE dissector when tree is NULL.
The tree pointer can be NULL during the first pass when there is no color or display filter.

For more information see doc/README.developer.

There are probably some if(tree)-statements that has to be removed (or moved).


Below is an extract from README.developer:
-----------------------------------------------
Ethereal distinguishes between the 2 modes with the proto_tree pointer:

(a) <=> tree == NULL

(b) <=> tree != NULL

In the interest of speed, if "tree" is NULL, avoid building a

protocol tree and adding stuff to it if possible. Note,

however, that you must call subdissectors regardless of whether

"tree" is NULL or not. */