Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] allocator->in_scope

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 25 Mar 2018 11:11:11 -0700
On Mar 25, 2018, at 10:39 AM, Paul Offord <Paul.Offord@xxxxxxxxxxxx> wrote:

> Even bigger aha.  Although I only have one new block in the pcapng file, when I open the file via the file explorer dialogue, my block reader is called twice; once to allow WS to enrich the dialogue box (I think) and a second time to read the block before dissection.  I never noticed this before, and this probably explains a few weird problems I have been grappling with.

What happens if you run the capinfos program on your file?

If your block reader is called in that case, then it cannot use the wmem allocators, as 1) the wmem routines are part of libwireshark and 2) capinfos doesn't use libwireshark.  The code to put the summary in the dialog box is similar to the capinfos call, in that it doesn't do any dissection, it just gets what statistics can be gathered without looking at the contents of any of the records, just the metadata at which libwiretap looks.

Your block *dissector* can use the wmem routines, as dissectors are part of libwireshark or are plugins that "belong to" libwireshark; code that is part of libwiretap or that is a plugin that "belongs to" libwiretap, however, cannot use the wmem routines.