Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] How to reassemble split TCP Packets - to grouptogether with

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 17 Jul 2009 16:00:54 -0700

On Jul 17, 2009, at 2:14 PM, Tamas Somogyi wrote:

I can see two solutions:
1. Extend the design of tcp_dissect_pdus() to call dissectors for the packet as described below.

What's described below?

2. Possibility to modify the existing content of a column. I'm thinking about adding a function to column-utils.c, let's call col_modif_str(cinfo,el,str), which -instead of appending- overwrites the info up to the length of the existing string, if there's a fence. If no fence yet, it just sets the string by calling col_set_str(). It needs some more ivestigation on my side as I'm not familiar with such internal code , but it seems the easier way.

Or *some* change to the way columns are processed.

Note that if you have, encapsulated in TCP, protocol A, and if you have, encapsulated in protocol A, protocol B, getting the Info column to give information about all packets in a link-layer frame, at the top level, is harder, as that information is put there by the dissector for protocol B - but you don't end up with protocol B's dissector called sequentially for each packet. Instead, you'd have protocol A's dissector called for the first packet, then protocol B's dissector, then protocol A's dissector for the second packet, then protocol B's dissector for the second packet.

Perhaps what we really want is a *stack* of Info columns, so that the protocol A dissector can just keep appending to the Info column at its level of the stack; that Info column would start out empty (as the Info column for the protocol below it in the stack would be separate).

Once they're all filled in, the topmost Info column could be what's displayed - or we could, perhaps, have the packet list be a tree view, so that you could open up a row in the tree view and see the Info column (and Protocol column, and perhaps other columns) for *all* layers of the protocol.

That opens up the possibility of another layer of tree view, so that you could have an Info column with information for all the packets within a link-layer frame, and then open that up and see the Info columns for each of those packets individually.

However, the UI stuff isn't required in order to implement the stack of columns - we could leave the UI the same, and just implement the stack and have the topmost element of the stack generate the columns. The UI stuff could be designed and done later.