Wireshark mailing list archives
Re: New Dissector only applied to first packet
From: Guy Harris <guy () alum mit edu>
Date: Fri, 2 Nov 2012 11:43:16 -0700
On Nov 2, 2012, at 7:00 AM, Jan Willamowius <jan () willamowius de> wrote:
I'm writing my first dissector based on the example in the Developers
Guide and README.developer.
I register my dissector for a certain port using
dissector_add_uint("udp.port", FOO_PORT, handle);
I notice that it only gets applied to the first packet that matches the
port and I can't apply it to other packets, not even using "Decode As".
"Only gets applied" meaning "you have a printf or are running it in the debugger and it's only being called for the first UDP packet being sent to or from port FOO_PORT" or "only gets applied" meaning "I only see the first UDP packet sent to or from port FOO_PORT having the dissector's information in the Protocol and Info columns and only see the dissector's information in the packet details pane when I click on the first such packet"? The latter isn't necessarily equivalent to the former - if, for example, the dissector is a "new-style" dissector that checks to see if the packet looks as if it's a packet for its protocol, and returns 0 before doing any dissection work if it doesn't, the dissector might get called but might reject the packet. What do the other packets to or from that port show up as? Do they just show up as UDP, or are they showing up as some other protocol on top of UDP (and perhaps as a "malformed" packet for that protocol)? If the latter, there may be a heuristic dissector or dissectors that are claiming the packets; if the packets aren't for those dissectors' protocols, perhaps the dissectors need to have their heuristics strengthened. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- New Dissector only applied to first packet Jan Willamowius (Nov 02)
- Re: New Dissector only applied to first packet Guy Harris (Nov 02)
- Re: New Dissector only applied to first packet Jan Willamowius (Nov 02)
- Re: New Dissector only applied to first packet Guy Harris (Nov 02)
- Re: New Dissector only applied to first packet Jan Willamowius (Nov 02)
- Re: New Dissector only applied to first packet Guy Harris (Nov 04)
- Re: New Dissector only applied to first packet Jan Willamowius (Nov 05)
- Re: New Dissector only applied to first packet Anders Broman (Nov 06)
- Re: New Dissector only applied to first packet Jan Willamowius (Nov 06)
- Re: New Dissector only applied to first packet Anders Broman (Nov 07)
- Re: New Dissector only applied to first packet Jan Willamowius (Nov 02)
- Re: New Dissector only applied to first packet Guy Harris (Nov 02)