Wireshark mailing list archives

Re: Lua script reads every packet twice

From: Jerry White <jerrywhite518 () gmail com>
Date: Wed, 5 Jun 2019 15:25:28 -0700

Guy and Pascal,

Thanks very much!

Jerry


On Wed, Jun 5, 2019 at 12:52 PM Guy Harris <guy () alum mit edu> wrote:

On Jun 5, 2019, at 12:34 PM, Jerry White <jerrywhite518 () gmail com> wrote:

Please forgive for such a basic question. I noticed that my lua

dissector processes a trace file twice.

*Wireshark* can process packets more than once; we will never guarantee
that a dissector will see a packet only once.

Even *TShark* can do so if run with the -2 flag.

So you will need to make sure your dissector can handle this.

To isolate the issue I have removed nearly all my business code


A dissector should

        1) set columns for the packet as appropriate;

        2) build a protocol tree of fields in the packet;

        3) build, on the first pass, any data structures needed when
redissecting - on the first pass, packets are processed in order, but
packets may be handed to the dissector in random order after that, so if
the dissection of packet N depends on the contents of packet M, for M < N,
you'll need to remember whatever information allows you to dissect packet N
in the future, even if packet M isn't dissected again first.

It should *not* report any statistics or other analysis information.  It
may calculate and save that information, on the first pass, but it
shouldn't report it; reporting that information should be done by taps - see


https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=doc/README.tapping;hb=HEAD

(or the doc/README.tapping file in the source tree)

If your dissector needs to do something only on the first pass, it needs
to check the packet's "visited" flag; see


https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Pinfo.html#lua_class_Pinfo

for information on how to do that from Lua code.

So if your business code is doing any reporting of statistics, or other
information that's not in the "a dissector should" list above, it needs to
be done outside the dissector.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Lua script reads every packet twice Jerry White (Jun 05)
- Re: Lua script reads every packet twice Pascal Quantin (Jun 05)
- Re: Lua script reads every packet twice Guy Harris (Jun 05)
  - Re: Lua script reads every packet twice Jerry White (Jun 05)