Wireshark-dev: Re: [Wireshark-dev] Extracting field values in a C post-dissector
From: Paul Offord <[email protected]>
Date: Mon, 5 Sep 2016 22:11:55 +0000
I've hit a problem.  WS scans the trace file twice.  I need access to protocol fields (e.g. tcp.len and smb2.ses_id) during the first scan.

Unfortunately with the C postdissector the tree value passed during the first scan is NULL.  During the second scan I do get the tree.

I guess the LUA code uses the proto_tree_prime_hfid() outlined below.

Any suggestions how I move forward gratefully accepted.

Sent from Samsung Mobile on O2


-------- Original message --------
From: Guy Harris
Date:05/09/2016 03:59 (GMT+00:00)
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Extracting field values in a C post-dissector

On Aug 22, 2016, at 6:40 AM, Pascal Quantin <[email protected]> wrote:

> By having a quick look at the code, I *think* you will want first to retrieve the hfindex of a given field by using proto_registrar_get_id_byname(), then mark it as "interesting" with proto_tree_prime_hfid()

...which you have to do before the dissection starts.

Unfortunately, you can't do that in a post-dissector.

So...

> aOr a cll to proto_find_finfo() should work also without the need to prime the field, but should be slower according to the comments in proto.h.

...you might have to do it that way, instead.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe

______________________________________________________________________

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advance Seven Ltd. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

Advance Seven Ltd. Registered in England & Wales numbered 2373877 at Endeavour House, Coopers End Lane, Stansted, Essex CM24 1SJ

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________