Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Lua script reads every packet twice

From: Guy Harris <guy () alum mit edu>
Date: Wed, 5 Jun 2019 12:51:41 -0700
On Jun 5, 2019, at 12:34 PM, Jerry White <jerrywhite518 () gmail com> wrote:


Please forgive for such a basic question. I noticed that my lua dissector processes a trace file twice.


*Wireshark* can process packets more than once; we will never guarantee that a dissector will see a packet only once.

Even *TShark* can do so if run with the -2 flag.

So you will need to make sure your dissector can handle this.


To isolate the issue I have removed nearly all my business code


A dissector should

        1) set columns for the packet as appropriate;

        2) build a protocol tree of fields in the packet;

        3) build, on the first pass, any data structures needed when redissecting - on the first pass, packets are 
processed in order, but packets may be handed to the dissector in random order after that, so if the dissection of 
packet N depends on the contents of packet M, for M < N, you'll need to remember whatever information allows you to 
dissect packet N in the future, even if packet M isn't dissected again first.

It should *not* report any statistics or other analysis information.  It may calculate and save that information, on 
the first pass, but it shouldn't report it; reporting that information should be done by taps - see

        https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=doc/README.tapping;hb=HEAD

(or the doc/README.tapping file in the source tree)

If your dissector needs to do something only on the first pass, it needs to check the packet's "visited" flag; see

        https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Pinfo.html#lua_class_Pinfo

for information on how to do that from Lua code.

So if your business code is doing any reporting of statistics, or other information that's not in the "a dissector 
should" list above, it needs to be done outside the dissector.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: