Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] False positive from the new "Look for incomplete dissectors"

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Dario Lombardo <dario.lombardo.ml@xxxxxxxxx>
Date: Tue, 17 Feb 2015 13:56:35 +0100


On Fri, Feb 13, 2015 at 5:15 PM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:
I have to admit that I like being able to click on a byte and see what field it maps to.  From that perspective I like when padding is claimed by the dissector which knew it was padding.  And when CR+NL are claimed by the item which they terminate.

If this functionality encourages dissectors to claim all the bytes used by their protocol that is, in my opinion, a good thing.

Actually they are 2 different things. An "undissected" byte is a byte claimed by a protocol, but not actually dissected. This is the case of a text prootocol where CR/LF are part of the claimed bytes, but they're not dissected by a specific proto_add_something(). Clinking on one of them will bring you to the "parent" protocol (VoIP for example).

Another thing is "unclaimed" bytes. They are bytes that have not been claimed by any dissector. Clicking on one of them will not bring to anything. I'm working on this feature now. 
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube