Wireshark mailing list archives
Re: tshark --export-objects : -2 assumed or required for two-pass ?
From: chuck c <bubbasnmp () gmail com>
Date: Mon, 10 Aug 2020 22:03:19 -0500
I think I muddied that waters asking about two-pass and export objects. The tshark export (with or without -2) works in versions 2.6 and 3.0. Something changed in 3.2 such that wireshark produces a good file and the tshark export doesn't match. Pretty much in over my head as to whether to look in tshark.c, packet-dcm.c or somewhere else. Was hoping to narrow things down before moving this to Bugzilla. On Mon, Aug 10, 2020 at 9:30 PM Guy Harris <gharris () sonic net> wrote:
On Aug 10, 2020, at 6:00 PM, John Thacker <johnthacker () gmail com> wrote:On Mon, Aug 10, 2020 at 5:32 PM chuck c <bubbasnmp () gmail com> wrote:tshark --export-objects dicom is behaving differently than exportingDicom objects in Wireshark.Is the "-2" option assumed to be set, observed if set or not used atall for exporting objects with tshark?Having implemented Export Objects on a different custom TFTP-likeprotocol, I experienced the same thing.With tshark, -2 is observed if set, and that can result in differentbehavior. Generally more accurate information is obtained with two passes, which is equivalent to Wireshark behavior. Generally, at least for packet dissection, the only thing you get if you defer displaying packets until after the first pass is that you get to see not only "this frame is dissected as a response to the packet dissected for frame N" but also "this frame is dissected as a packet the response to which is in frame M". There may be exceptions, but it's best to keep them to a minimum.There are certain protocols where single pass analysis just isn'tsufficient to determine all the data, and dissectors where some state object is set, like packet-dcm.c, are a common case. If M < N, most protocols do not require data from packet N (at that protocol layer) in order to process packet M; that even applies to implementations that maintain state. The same applies to dissection; when dissecting a packet, all state established by previous packets is available. What are some examples where you need information from *later* packets to: dissect a packet completely; start constructing a file object? ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org ?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- tshark --export-objects : -2 assumed or required for two-pass ? chuck c (Aug 10)
- Re: tshark --export-objects : -2 assumed or required for two-pass ? John Thacker (Aug 10)
- Re: tshark --export-objects : -2 assumed or required for two-pass ? chuck c (Aug 10)
- Re: tshark --export-objects : -2 assumed or required for two-pass ? Guy Harris (Aug 10)
- Re: tshark --export-objects : -2 assumed or required for two-pass ? chuck c (Aug 10)
- Re: tshark --export-objects : -2 assumed or required for two-pass ? chuck c (Aug 10)
- Re: tshark --export-objects : -2 assumed or required for two-pass ? Mikael Kanstrup (Aug 13)
- Re: tshark --export-objects : -2 assumed or required for two-pass ? John Thacker (Aug 10)