Wireshark mailing list archives

Re: Retrieving dissection result from another dissector


From: Dario Lombardo <lomato () gmail com>
Date: Thu, 5 Jul 2018 09:34:31 +0200

What about, instead, introducing a new field in pinfo? Something like
"result from dissection of the next proto in the stack, reported to the
previous"? This could be a struct like

struct dissection_data {
  guint dissection_data_type;
  gchar dissection_data;
} dissection_data_t;

The called dissector could run

dissection_data_t* dd = wmem_new(wmem_packet_scope(), dissection_data_t);
dd->dissection_data_type = MYPROTO_DISSECTED_INT;
dd->dissection_data = &my_int_to_report_back;
p_data_dissection_save(pinfo, dd);

The caller could run

dissection_data_t* dd = p_data_dissection_get(pinfo);
switch (dd->dissection_data_type) {
  case MYPROTO_DISSECTED_INT:
    myint = *((guint*)dd->dissection_data);
  case ...
};

The function p_data_dissection_get() would give the caller the saved data
back and set the field to NULL, so it cannot be retrieved again by other
protos in the stack.

Thoughts?
Dario.

On Thu, Jul 5, 2018 at 3:07 AM Guy Harris <guy () alum mit edu> wrote:

On Jul 4, 2018, at 7:02 AM, Michael Mann via Wireshark-dev <
wireshark-dev () wireshark org> wrote:

Just because you can exchange data between dissectors this way, doesn't
mean you should.  I think it's more understandable if there are multiple
layers/protocols between the setting of data and it's retrieval, but if you
are only going a single layer, the data parameter of
call_dissector_with_data should be used and a "shared structure" should be
defined that includes the input/output parameters.

Unfortunately, that style means that there's no type checking to make sure
the calling dissector passes data of the correct sort to the called
dissector; if the calling dissector passes it by attaching something with a
given protocol ID and the called dissector fetches it by getting something
with some protocol ID, if the protocol IDs don't match the fetch will fail
and you'll probably at least get a null-pointer dereference crash -
compile-time checks would be better than run-time checks, but run-time
checks are better than surprises because a structure of type A is being
interpreted as if it were a structure of type B.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe



-- 

Naima is online.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread: