Guy Harris wrote:
>
> On Nov 2, 2012, at 7:00 AM, Jan Willamowius <jan@xxxxxxxxxxxxxx> wrote:
>
> > I'm writing my first dissector based on the example in the Developers
> > Guide and README.developer.
> >
> > I register my dissector for a certain port using
> >
> > dissector_add_uint("udp.port", FOO_PORT, handle);
> >
> > I notice that it only gets applied to the first packet that matches the
> > port and I can't apply it to other packets, not even using "Decode As".
>
> "Only gets applied" meaning "you have a printf or are running it in the debugger and it's only being called for the first UDP packet being sent to or from port FOO_PORT" or "only gets applied" meaning "I only see the first UDP packet sent to or from port FOO_PORT having the dissector's information in the Protocol and Info columns and only see the dissector's information in the packet details pane when I click on the first such packet"?
I put a printf in and my dissector doesn't get called.
> What do the other packets to or from that port show up as? Do they just show up as UDP, or are they showing up as some other protocol on top of UDP (and perhaps as a "malformed" packet for that protocol)? If the latter, there may be a heuristic dissector or dissectors that are claiming the packets; if the packets aren't for those dissectors' protocols, perhaps the dissectors need to have their heuristics strengthened.
It turns out that other packets in between are responsible for the
dissector not being called for packets that come after them. If I mark
those to be ignored in the GUI, my dissector is called for all matching
packets and works fine.
My dissector only handles UDP packets, but strangely the stop-packets
are all TCP packets and I have verified that my dissector never even
gets called for them.
Any ideas ?
Thanks,
Jan
--
Jan Willamowius, jan@xxxxxxxxxxxxxx, http://www.gnugk.org/
