Hi,
I suspect this may be a stupid question, but I can only find vague
allusions to the answer in the archives of this mailing list so I'll
go ahead and ask it.
I'm writing my first dissector plugin (for Delay Tolerant Networking's
TCP convergence layer, if anyone is interested) and mostly everything
is going fine. I believe I have desegmentation all working correctly,
and my parser appears to work. However, I have something of a problem
with displaying tree items.
What seems to happen with my dissector is that when I load one of my
sample pcap files to test it out, my dissector is invoked for all the
relevant packets in order. However, at this stage although the
proto_tree* argument to the top level dissector function isn't null,
wireshark appears to ignore or deallocate any tree items I add at this
stage. Then when I click on one of the DTN packets in the Wireshark
GUI, my dissector function is called again just for that one packet
and this time the proto_tree* arg isn't null, and the tree items I add
show up. This is a bit of a problem for me, since really I want some
state information to know what sort of PDU I'm supposed to be parsing
from that particular packet. While I dare say I could examine the
first few bytes of the PDU and make a judgment about what sort of PDU
it is, that isn't really how the protocol is supposed to work and
hence it isn't really how I'd like to parse it.
Now, the developer readme says "A protocol dissector can be called in
2 different ways... A protocol dissector can be called in 2 different
ways:
Wireshark distinguishes between the 2 modes with the proto_tree pointer..."
If I were getting a null tree pointer on the first run through, I'd
assume this was just how it was supposed to work and attempt to work
around my problems. That I'm getting a non-null pointer both times
does raise the possibility that I'm doing something wrong here.
Is this how dissectors are supposed to work?
Thanks,
Chris.
