Wireshark · Wireshark-dev: Re: [Wireshark-dev] XXXX: avoid appending xxxx multiple times to frame.protocols field

[Pascal Quantin <pascal.quantin@xxxxxxxxx>]

Hi Guy,

Le 5 oct. 2017 23:20, "Guy Harris" <guy@xxxxxxxxxxxx> a écrit :

A given frame's dissection can have multiple packets for a given protocol, if, at any protocol layer, a PDU can contain multiple PDUs for the next layer above it (or parts of multiple PDUs, as with byte-stream protocols such as TCP).

Some recent changes have been submitted to fix that for particular protocols.

However, the underlying problem is that frame.protocols is intended to be a set (in which a given item can occur only once) rather than a bag (in which a given item can occur multiple times).  Perhaps it should be implemented as a set, with uniqueness enforced, so that individual dissectors don't need to keep from putting another XXXX in the bag if there's already one there?

What I like also with frame.protocols field is that it shows the protocol encapsulation order within the packet. So in case of an IP packet encapsulated inside a protocol running in top of IP, I think it makes sense to display up twice. Changing it to a set would lose this property.

The problem with S1AP and Co is that it uses some dissector tables internally to decode the fields, leading to fake multiple occurrences within frame.protocols field. By the way, I realize that the pino functionality introduced by Michael might have been used here also instead of the simple patch I did. It might be an opportunity for me to see how this pino stuff behaves exactly ;)

Cheers,

Pascal.