Wireshark-dev: Re: [Wireshark-dev] False positive from the new "Look for incomplete dissectors"
From: Dario Lombardo <[email protected]>
Date: Tue, 17 Feb 2015 13:56:35 +0100


On Fri, Feb 13, 2015 at 5:15 PM, Jeff Morriss <[email protected]> wrote:
I have to admit that I like being able to click on a byte and see what field it maps to.  From that perspective I like when padding is claimed by the dissector which knew it was padding.  And when CR+NL are claimed by the item which they terminate.

If this functionality encourages dissectors to claim all the bytes used by their protocol that is, in my opinion, a good thing.

Actually they are 2 different things. An "undissected" byte is a byte claimed by a protocol, but not actually dissected. This is the case of a text prootocol where CR/LF are part of the claimed bytes, but they're not dissected by a specific proto_add_something(). Clinking on one of them will bring you to the "parent" protocol (VoIP for example).

Another thing is "unclaimed" bytes. They are bytes that have not been claimed by any dissector. Clicking on one of them will not bring to anything. I'm working on this feature now.