Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Tshark: proto_tree not created on first pass with tap define

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 12 Feb 2017 19:13:43 -0800
On Feb 10, 2017, at 12:15 AM, Paul Offord <Paul.Offord@xxxxxxxxxxxx> wrote:

> It's normal for a dissector to be called with a NULL proto_tree pointer on the first pass *unless* a tap has been registered.

Actually, it's currently normal, in TShark, if you're doing two-pass processing, for taps not to be called on the first pass, so it's currently irrelevant whether a tap has been registered or not - no protocol tree is constructed on the first pass of two-pass processing unless it's needed for filtering, so no protocol tree is passed to dissectors, including post-dissectors, on the first pass of two.

If your post-dissector (which is *not* a tap) needs to be called with a protocol tree on *every* pass, that means that we need a way for post-dissectors to *directly* indicate that they need a protocol tree, *separate* from anything related to tap registration.  Taps should not be registered solely as a way to affect *other* code, such as a post-dissector.