Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] pinfo->fd->flags.visited and NFS

From: Ian Schorr <ian.schorr@xxxxxxxxx>
Date: Thu, 14 Jan 2010 16:13:58 +1100
Hi all,

I'm in the process of making some improvements to the NFSv4 dissector
and running into some problems - hoping for some insight.

I've never spent any time with the pinfo "flags.visited" flag, or any
of the logic that takes Wireshark through multiple passes processing
the same packet.  In what sort of circumstances would
pinfo->fd->flags.visited actually be SET?


In this case I'm expanding the NFSv2/v3 "File handle snooping" logic
to support NFSv4 as well.  At a certain point, nfs_name_snoop_fh() is
called.  I'm finding that when this is called while processing NFSv4
frames, the frame has already been "visited" and this flag is set.
This causes a conditional to fail and none of the FH snooping code is
run.  However, this flag is FALSE when called by nfsv3.

I'm not clear on what's different about the NFSv4 processing that
could cause it to be "visiting" this frame before the FH processing is
done (which is called as part of the main dissection code, and as far
as I know is called directly from ONC-RPC dissection, at the exact
same point as NFSv3).

I'm also finding that everything works "normally" if I remove that
check - both with NFSv3 and v4.  But I'm assuming that removing this
check causes something inefficient to happen - unnecessary second
processing of FHs when dissecting with NFSv3, some extra memory usage,
or something).  But not clear what.

If I understood more about how/when this flag would be changed, and
what a dissector could that would lead to a "second processing pass"
where this flag is set, I'd have a better chance of figuring out what
I can do about the problem.


Or if anyone knows the NFS/RPC dissectors well and want to weigh in,
that'd be great too =)

Thanks,
Ian