Hi,
I am trying to read the per-packet (user) comment in a post-dissector.
Calling epan_get_user_comment(pinfo->epan, pinfo->fd) doesn't work -
it the epan_session callback for get_user_comment() is set to NULL.
The callback that is set in places where the comment is available uses
ws_get_user_comment() as its callback, which looks up a hash table in
the capture_file struct.
I need to leave this for now, but if anyone happens to have looked
into this before I'd be grateful to hear about it.
Best regards,
Martin
P.S. This may be a hacky thing to want to do, but my motivation is to
at least demo being able to show Snort alerts this week by reading the
comment (attached by TraceWrangler) rather than running Snort from
within the post-dissector
