Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Expert Infos are a bit "more official" now!

From: "Stratemeier, Frank" <FStratemeier@xxxxxxxxx>
Date: Mon, 27 Aug 2007 09:48:28 +0200
Title: [Wireshark-dev] Expert Infos are a bit "more official" now!
Yo Chris!
 
I had the same problem and was just wondering why.
It seems that "Expert Info" rescans a capture passing no valid tree pointer. "Expert Info Composite" does indeed pass a valid tree pointer!.
So in my dissector the EIC makes much more sense.
 
You said that the "old" EI will not be available in some future point of time?
 
Regards,
Frank
 

Von: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] Im Auftrag von Maynard, Chris
Gesendet: Freitag, 24. August 2007 22:33
An: Developer support list for Wireshark
Betreff: RE: [Wireshark-dev] Expert Infos are a bit "more official" now!

Ulf,

 

First - Great stuff!  I finally got around to adding this to a proprietary dissector to try it out.  For example, in a small capture file of around 15000 packets, I wanted to pick out 5 particular packets of interest.  This could have been accomplished by searching for these packets of course, or by applying a display filter, but nothing comes close to the convenience the expert info provides.  Anyway, I plan to slowly add this to more and more dissectors as I have time.

 

However, the only problem I came across was that in order for the expert info feature to work reliably, it seems that you have to do all of the detailed dissection work, regardless of whether or not the initial proto_tree passed to the dissector was NULL or not (i.e., To use the README.developer terminology, you can't assume "Operational dissection" only).  Therefore, I simply changed the "if (tree) { ... }" to "if (1) { ... }" to test it and that worked.

 

Anyway, that is probably obvious to you, but it wasn't to me, so you may want to indicate that in the documentation?  Or kindly point out what I might be doing wrong so I can still make use of the expert info features without doing any unnecessary building of the protocol tree?

 

Thanks again for documenting this feature and bringing it to everyone's attention!

 

Chris



From: wireshark-dev-bounces@xxxxxxxxxxxxx on behalf of Ulf Lamping
Sent: Thu 8/16/2007 6:30 PM
To: wireshark-dev@xxxxxxxxxxxxx
Subject: [Wireshark-dev] Expert Infos are a bit "more official" now!

Hi List!

I think the Expert Info feature that I've added a while ago should be
used more widely :-)


In the last days I've added the "Expert Info" feature to the User's
Guide, so users have a chance to know how to use it.

I've also changed the Wiki's ExpertInfo Developer page, it's more of a
"How To add expert infos to a dissector" now - before it was a bit
outdated  proposal / collecting ideas page.


As I'm using the EI for a quite a while now and I really find it
invaluable to get a "quick overview" of that file. In the PROFINET
dissectors for example, I've added "PI_UNDECODED" EI's at all places
where the current dissection is incomplete or where stuff is marked
"Reserved" in the specs. If I get a new capture file, I just open the EI
composite to have a quick look if anything in the dissection is missing
and needs to be implemented / checked. This is *much* faster than
scanning the packets manually and already saved me a lot of time.


If you're interested what the "Expert Infos" are and how to use them in
the GUI, please read the User's Guide section
http://www.wireshark.org/docs/wsug_html_chunked/ChAdvExpert.html.

If you're interested how to add "Expert Infos" to your dissector code,
please read the ExpertInfo Wiki page
http://wiki.wireshark.org/Development/ExpertInfo.


I can only suggest other developers to add more expert infos to their
dissectors, this will probably be very helpful for both developers and
users ...

Regards, ULFL



P.S: Any suggestions about the User Guide and Wiki page text or the EI
feature itself is welcome ...
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev