Ravid Gabbay wrote:
I'm trying to write a plugin for my purposes, and as I understand, when
a packet is visited again, the plugin is called again
and all the work needs to be done again. why is that?
Because
1) saving the entire protocol tree for every packet dissected would
require even *more* memory than we already use per packet;
2) there's no guarantee that, the first time the packet is dissected, a
protocol tree will even be built.
can that be
avoided, if nothing will be changed from the initial visit?
No.
my problem is that my plugin assumes that packet n will be dissected
right after packet n-1, so that in the pluging I can save
in static variables some info from the n-1 packet. and since the plugin
is called again when the packet is revisited, the n may not always be
after n-1.
something that will solve my problem is a way to keep packets's info
(that was set during the first dissection of the packet) valid and
readabe in the other dissections of the packet. is there a way to do that?
Yes.
On the first pass, set up a data structure for each packet sequence (TCP
connection, UDP flow, whatever - you might be able to use a conversation
for that), and attach to that data structure some state information; in
that pass, packet n+1 will be dissected right after packet n.
Then, for each packet that needs additional information from previous
packets in order to dissect it, attach to the packet that information.
See the p_add_proto_data() routine.
On all subsequent passes, fetch the data with p_get_proto_data().
(This is, by the way, not specific to plugins - plugin dissectors work
the same way built-in dissectors do.)