Wireshark · Wireshark-dev: Re: [Wireshark-dev] view filter bug

[Brian Vandenberg <phantal@xxxxxxxxx>]

 Before I write this up, I just wanted to confirm there isn't a 
workaround for this problem, or it isn't a misunderstanding of some sort.

 Normally you can type 'http' into the view filter and you'll only see 
http packets.  However, if the http dissector operates on packets handed 
to it by the ssl dissector after it has decrypted them, entering 'http' 
into the view filter causes all packets to disapear (unless some http 
packets were captured that weren't ssl encrypted).

 What I suspect is happening is that since the ssl dissector isn't 
being executed to build the packet list, the decrypted ssl data is never 
added to a new tvb and passed off to the http dissector, so nothing gets 
listed.

 Am I mistaken?  Is there a workaround?  Seems like a bug to me, and 
I'm getting pressure from my boss to figure out why my code is broken 
(it relies on the http dissector, and he can't just type the name of our 
protocol and have it only show those packets; but the http dissector has 
the same problem), and he doesn't believe me when I explain this problem 
to him.

 Basically, he thinks I'm a newb who has no idea what's really going 
on; it *has* to be my code causing the problem
since there's no way anyone writing code for wireshark could have left 
a bug like this in their code (ya, like everyone is perfect).  So, if 
someone could point me in the right direction I'd appreciate it, or if 
you have an explanation that would be even better.

-Brian