On Nov 2, 2012, at 7:00 AM, Jan Willamowius <jan@xxxxxxxxxxxxxx> wrote:
> I'm writing my first dissector based on the example in the Developers
> Guide and README.developer.
>
> I register my dissector for a certain port using
>
> dissector_add_uint("udp.port", FOO_PORT, handle);
>
> I notice that it only gets applied to the first packet that matches the
> port and I can't apply it to other packets, not even using "Decode As".
"Only gets applied" meaning "you have a printf or are running it in the debugger and it's only being called for the first UDP packet being sent to or from port FOO_PORT" or "only gets applied" meaning "I only see the first UDP packet sent to or from port FOO_PORT having the dissector's information in the Protocol and Info columns and only see the dissector's information in the packet details pane when I click on the first such packet"?
The latter isn't necessarily equivalent to the former - if, for example, the dissector is a "new-style" dissector that checks to see if the packet looks as if it's a packet for its protocol, and returns 0 before doing any dissection work if it doesn't, the dissector might get called but might reject the packet.
What do the other packets to or from that port show up as? Do they just show up as UDP, or are they showing up as some other protocol on top of UDP (and perhaps as a "malformed" packet for that protocol)? If the latter, there may be a heuristic dissector or dissectors that are claiming the packets; if the packets aren't for those dissectors' protocols, perhaps the dissectors need to have their heuristics strengthened.
