Wireshark-dev: Re: [Wireshark-dev] Using "ip.id" for dissector_add
From: Guy Harris <[email protected]>
Date: Tue, 01 Jan 2008 03:14:44 -0800
Lars Friedrichs wrote:

thanks for the reply but at least looking at packet-sctp doesn't help me
here. I see that it uses "ip.proto" but that is not what I need since
the protocol does not rely on the "ip.proto" field but on "ip.id".
Really?  The IP identification field, which is not guaranteed to have 
*ANY* particular value in an IP packet?  The *ONLY* guarantee you have 
about the ID field is that all fragments of a fragmented IP datagram 
have the same ID field.
IPv4 has a "protocol" field that indicates what the protocol is for the 
payload of an IP datagram; why would any field other than the protocol 
field *EVER* be the one to use to specify the code used to process the 
data in the payload of an IP datagram (except for a misdesigned protocol)?
Yust to get this straight:
A protocol registers its header fields, shouldn't all these fields be
possible to be added a subdissector to?
Not if, in practice, there is nothing useful that all packets with the 
same value of one of those fields have in common that would cause all 
packets with that value, and no packets without that value, to be 
dissected by a particular subprotocol.
Maybe anyone can explain line
697 of packet.c to me:
As I am not used to C I would read that line as if it tries to get some
assumptions about "sub_dissectors" straight.
If you're used to C, you'd read the line as if it tried to get one 
particular assumption, namely that the sub-dissector exists, straight.
Perhaps what that line needs to do is to return an error indication, 
with add_dissector() returning a Boolean, with FALSE being an error