Re: When to use tree != NULL check?

[Guy Harris <guy () alum mit edu>]

On Sep 10, 2012, at 7:37 PM, mmann78 () netscape net wrote:
 
> I guess I've always used the rule that simple [1] dissectors (no matter how large) should all have the tree != NULL 
> check before any dissection really takes place.

"Simple" would also have to include "no subdissectors" so that you don't end up skipping subdissector calls if you're 
not building a protocol tree.

> Most of the "expert info" I've seen is attached to "tree items" along the lines of "field validation" (command/value 
> not supported/recognized, length incorrect, etc).  Without the tree, they don't seem very useful.

The "expert info" shows up not only in the protocol tree but also in the Analyze -> Expert Info window, and the highest 
"expert info" level shows up in a colored light on the status bar (hopefully it's still of use to colorblind users...), 
so it needs to be added when the capture is first read in.

> I've also seen dissectors that appear to be more geared towards tshark (lots of data in COL_INFO) than Wireshark,

Data in COL_INFO is useful to Wireshark users as well, if they're scanning the packet list pane.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe