Wireshark-dev: Re: [Wireshark-dev] view filter bug

Date Prev · Date Next · Thread Prev · Thread Next
From: Brian Vandenberg <phantal@xxxxxxxxx>
Date: Sat, 30 Sep 2006 22:09:19 -0600
Before I write this up, I just wanted to confirm there isn't a workaround for this problem, or it isn't a misunderstanding of some sort.

Normally you can type 'http' into the view filter and you'll only see http packets. However, if the http dissector operates on packets handed to it by the ssl dissector after it has decrypted them, entering 'http' into the view filter causes all packets to disapear (unless some http packets were captured that weren't ssl encrypted).

What I suspect is happening is that since the ssl dissector isn't being executed to build the packet list, the decrypted ssl data is never added to a new tvb and passed off to the http dissector, so nothing gets listed.

Am I mistaken? Is there a workaround? Seems like a bug to me, and I'm getting pressure from my boss to figure out why my code is broken (it relies on the http dissector, and he can't just type the name of our protocol and have it only show those packets; but the http dissector has the same problem), and he doesn't believe me when I explain this problem to him.

Basically, he thinks I'm a newb who has no idea what's really going on; it *has* to be my code causing the problem since there's no way anyone writing code for wireshark could have left a bug like this in their code (ya, like everyone is perfect). So, if someone could point me in the right direction I'd appreciate it, or if you have an explanation that would be even better.

-Brian