Wireshark-dev: Re: [Wireshark-dev] causes for losing COL_PROTOCOL or COL_INFO data
From: John Dill <[email protected]>
Date: Mon, 18 Sep 2017 15:52:30 +0000
>Message: 1
>Date: Sat, 16 Sep 2017 13:38:31 +0100
>From: Peter Wu <[email protected]>
>To: John Dill <[email protected]>,
>        "[email protected]" <[email protected]>
>Subject: Re: [Wireshark-dev] causes for losing COL_PROTOCOL or
>        COL_INFO data
>Message-ID: <[email protected]>
>Content-Type: text/plain; charset=utf-8
>
>Hi John,
>
>Are your col_* functions guarded/affected by a check like if(tree) or do they depend on pinfo->fd.visited? Are the affected frames >triggering reassembly or exceptions?

Part of it is.  I have a udp heuristic dissector that has a section that's kind of like this.  I have to be careful with actual content, so here is pseudo-code skeletal structure.

gboolean
dissect_protocol_udp_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
{
  ...

  data_class = tvb_get_guint8(tvb, offset);

  if (data_class in list of recognized values)
  {
    col_add_str(pinfo->cinfo, COL_INFO, val_to_str(data_class, data_class_enum_vals, "Unknown"); /*this always works*/
    ...

    if (tree)
    {
      if (data_class == XXX) {
        dissect_xxx(tvb, pinfo, offset, tree);
      }
      if (data_class == YYY) {
        ...
      }
      ...
    }
    ...
  }
}

And the COL_INFO that gets lost is in the dissect_xxx function, which has several col_append functions used.  It gets lost after using a filter expression and I never get it back after that.

I've noticed this 'if (tree)' issue in a couple of the searches I've done attributed to this problem, but I don't quite understand the impact it has on dissection and populating the COL_INFO and friends column.  Any explanation or pointer to how this interaction works would be greatly appreciated.

Best regards,
John Dill

P.S. Thanks to Michael for the follow up too.