Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Reading packet comment in a dissector?

From: Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>
Date: Tue, 18 Oct 2016 09:13:26 +0100
I was able to do this at least for now (thanks Anders).

    if (tree != NULL) {
        GPtrArray *items = proto_all_finfos(tree);
        if (items) {
            guint i;
            /* TODO: if get past "frame" entries, not going to be
found, so break. */
            for (i=0; i< items->len; i++) {
                field_info *field = (field_info *)g_ptr_array_index(items,i);
                if (strcmp(field->hfinfo->abbrev, "frame.comment") == 0) {
                    value = field->value.value.string;
                    break;
                }
            }
            g_ptr_array_free(items,TRUE);
        }
    }

On Mon, Oct 17, 2016 at 3:33 PM, Martin Mathieson
<martin.r.mathieson@xxxxxxxxxxxxxx> wrote:
> Hi,
>
> I am trying to read the per-packet (user) comment in a post-dissector.
> Calling epan_get_user_comment(pinfo->epan, pinfo->fd) doesn't work -
> it the epan_session callback for get_user_comment() is set to NULL.
>
> The callback that is set in places where the comment is available uses
> ws_get_user_comment() as its callback, which looks up a hash table in
> the capture_file struct.
>
> I need to leave this for now, but if anyone happens to have looked
> into this before I'd be grateful to hear about it.
>
> Best regards,
> Martin
>
> P.S. This may be a hacky thing to want to do, but my motivation is to
> at least demo being able to show Snort alerts this week by reading the
> comment (attached by TraceWrangler) rather than running Snort from
> within the post-dissector