Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Using "ip.id" for dissector_add

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 01 Jan 2008 03:14:44 -0800
Lars Friedrichs wrote:

thanks for the reply but at least looking at packet-sctp doesn't help me
here. I see that it uses "ip.proto" but that is not what I need since
the protocol does not rely on the "ip.proto" field but on "ip.id".

Really? The IP identification field, which is not guaranteed to have *ANY* particular value in an IP packet? The *ONLY* guarantee you have about the ID field is that all fragments of a fragmented IP datagram have the same ID field.

IPv4 has a "protocol" field that indicates what the protocol is for the payload of an IP datagram; why would any field other than the protocol field *EVER* be the one to use to specify the code used to process the data in the payload of an IP datagram (except for a misdesigned protocol)?

Yust to get this straight:
A protocol registers its header fields, shouldn't all these fields be
possible to be added a subdissector to?

Not if, in practice, there is nothing useful that all packets with the same value of one of those fields have in common that would cause all packets with that value, and no packets without that value, to be dissected by a particular subprotocol.

Maybe anyone can explain line
697 of packet.c to me:
    g_assert(sub_dissectors);
As I am not used to C I would read that line as if it tries to get some
assumptions about "sub_dissectors" straight.

If you're used to C, you'd read the line as if it tried to get one particular assumption, namely that the sub-dissector exists, straight.

Perhaps what that line needs to do is to return an error indication, with add_dissector() returning a Boolean, with FALSE being an error indication.