Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Modifying the Decode of Previous Packets

From: didier <dgautheron@xxxxxxxx>
Date: Mon, 28 Sep 2009 23:38:43 +0200
Hi,
Le lundi 28 septembre 2009 à 14:20 -0600, Bryant Eastham a écrit :
> All-
> 
>  
> 
> I have developed many dissectors, but have not run up against this
> problem before. I am looking for a solution that will work inside a
> plugin dissector.
> 
>  
> 
> The issue is that I have some secure traffic that I cannot decode
> until I learn some state that is only periodically advertised. This
> means that during the first pass through the packets that I will fail
> to decode many packets, but that by the end of the first pass I will
> have (likely) learned enough to decode the previous packets.
> 
>  
> 
> I believe (and will shortly test) that any secondary decodes (as
> clicking on the undecoded packet) will magically cause the column info
> to update and the packet to display decoded (assuming that my learned
With the 'old packet list' clicking on an undecoded packet will not
update the column info, only filtering will do.
 
With the new packet_list (SVN current) the column is only updated once.
If you load a file it works, for live capture some packets may have the
wrong column info. The tree would be ok though, it's redissected each
time.  

>  state is associated with my conversation, which it is).
I think it only works if you aren't using the new decoded state for
desegmentation. It may have some other weird side effects if you're
calling sub dissectors. 
> 
>  
> 
> My question is whether it is possible to indicate to Wireshark that
> certain packets (or, worst case, all packets) should be rechecked. If
> it is only the “all packets” case I would likely not do anything (as I
> deal with large capture files). If selected packets could be redone
> then that might be interesting, as I know which packets are “mine” and
> if I learn later that I can decode them then I would know the frame
> numbers to re-parse.
Currently it's not possible.

Didier

>