Wireshark-dev: Re: [Wireshark-dev] Retrieving dissection result from another dissector
From: Dario Lombardo <[email protected]>
Date: Thu, 5 Jul 2018 09:34:31 +0200
What about, instead, introducing a new field in pinfo? Something like "result from dissection of the next proto in the stack, reported to the previous"? This could be a struct like

struct dissection_data {
  guint dissection_data_type;
  gchar dissection_data;
} dissection_data_t;

The called dissector could run

dissection_data_t* dd = wmem_new(wmem_packet_scope(), dissection_data_t);
dd->dissection_data_type = MYPROTO_DISSECTED_INT;
dd->dissection_data = &my_int_to_report_back;
p_data_dissection_save(pinfo, dd);

The caller could run

dissection_data_t* dd = p_data_dissection_get(pinfo);
switch (dd->dissection_data_type) {
    myint = *((guint*)dd->dissection_data);
  case ...

The function p_data_dissection_get() would give the caller the saved data back and set the field to NULL, so it cannot be retrieved again by other protos in the stack.


On Thu, Jul 5, 2018 at 3:07 AM Guy Harris <[email protected]> wrote:
On Jul 4, 2018, at 7:02 AM, Michael Mann via Wireshark-dev <[email protected]> wrote:

> Just because you can exchange data between dissectors this way, doesn't mean you should.  I think it's more understandable if there are multiple layers/protocols between the setting of data and it's retrieval, but if you are only going a single layer, the data parameter of call_dissector_with_data should be used and a "shared structure" should be defined that includes the input/output parameters.

Unfortunately, that style means that there's no type checking to make sure the calling dissector passes data of the correct sort to the called dissector; if the calling dissector passes it by attaching something with a given protocol ID and the called dissector fetches it by getting something with some protocol ID, if the protocol IDs don't match the fetch will fail and you'll probably at least get a null-pointer dereference crash - compile-time checks would be better than run-time checks, but run-time checks are better than surprises because a structure of type A is being interpreted as if it were a structure of type B.
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe

Naima is online.