Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] I have a wireshark dissector question

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
Date: Tue, 12 Apr 2016 07:59:59 -0700
On Tue, Apr 12, 2016 at 7:34 AM, 季红 <jihong_seu@xxxxxxx> wrote:
> Dear sir :
>         Please excuse me for  I'm taking the liberty of writing to you.   I'
> m a chinese. I have a wireshark dissector question which I would like to ask
> you.  To make my example as plain
>
>  and interesting as possible,  so I use the example of the official website
> :https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html .
>
> Example 9.12. Enhancing the display.
>
> static void
> dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
> {
>     guint8 packet_type = tvb_get_guint8(tvb, 0);
>
>     col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO");
>     /* Clear out stuff in the info column */
>     col_clear(pinfo->cinfo,COL_INFO);
>     col_add_fstr(pinfo->cinfo, COL_INFO, "Type %s",
>              val_to_str(packet_type, packettypenames, "Unknown (0x%02x)"));
>
>     if (tree) { /* we are being asked for details */
>         proto_item *ti = NULL;
>         proto_tree *foo_tree = NULL;
>         gint offset = 0;
>
>         ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA);
>         proto_item_append_text(ti, ", Type %s",
>             val_to_str(packet_type, packettypenames, "Unknown (0x%02x)"));
>         foo_tree = proto_item_add_subtree(ti, ett_foo);
>         proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, offset, 1,
> ENC_BIG_ENDIAN);
>         offset += 1;
>     }
> }
>
>
> 1.Suppose there are three packets, then dissect_foo is called many times?

Yes.

> 2. If I click one row in wireshark 's user interface, then dissect_foo  will
> be called many times?

Yes, for some value of many.

> 3. How can I debug the code slice:

In GDB you can place a breakpoint at the if statement and then single
step. You could also add printf statements. It will be easier, I
suspect, if you do this on Linux or Unix.

>     if (tree) { /* we are being asked for details */
>         proto_item *ti = NULL;
>         proto_tree *foo_tree = NULL;
>         gint offset = 0;
>
>         ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA);
>         proto_item_append_text(ti, ", Type %s",
>             val_to_str(packet_type, packettypenames, "Unknown (0x%02x)"));
>         foo_tree = proto_item_add_subtree(ti, ett_foo);
>         proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, offset, 1,
> ENC_BIG_ENDIAN);
>         offset += 1;
>     }

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube