Title: [Wireshark-dev] Expert Infos are a bit "more official" now!
Yo Chris!
I had the same problem and was just wondering
why.
It seems that "Expert Info" rescans a capture passing
no valid tree pointer. "Expert Info Composite" does indeed pass a valid tree
pointer!.
So in my dissector the EIC makes much more
sense.
You said that the "old" EI will not be available in
some future point of time?
Regards,
Frank
Von:
wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx]
Im Auftrag von Maynard, Chris
Gesendet: Freitag, 24. August
2007 22:33
An: Developer support list for Wireshark
Betreff:
RE: [Wireshark-dev] Expert Infos are a bit "more official"
now!
Ulf,
First - Great stuff! I finally got around to adding this to
a proprietary dissector to try it out.
For example, in a small capture file of around 15000 packets, I wanted
to pick out 5 particular packets of interest. This could have been accomplished
by searching for these packets of course, or by applying a display filter, but
nothing comes close to the convenience the expert info provides. Anyway, I plan to slowly add this to
more and more dissectors as I have time.
However, the only problem I came across was that in order
for the expert info feature to work reliably, it seems that you have to do all
of the detailed dissection work, regardless of whether or not the initial
proto_tree passed to the dissector was NULL or not (i.e., To use the
README.developer terminology, you can't assume "Operational dissection"
only). Therefore, I simply
changed the "if (tree) { ... }" to "if (1) { ... }" to test it and that
worked.
Anyway, that is probably obvious to you, but it wasn't to
me, so you may want to indicate that in the documentation? Or kindly point out what I might be
doing wrong so I can still make use of the expert info features without doing
any unnecessary building of the protocol tree?
Thanks again for documenting this feature and bringing it
to everyone's attention!
Chris
From: wireshark-dev-bounces@xxxxxxxxxxxxx on
behalf of Ulf Lamping
Sent: Thu 8/16/2007 6:30 PM
To:
wireshark-dev@xxxxxxxxxxxxx
Subject: [Wireshark-dev] Expert Infos
are a bit "more official" now!
Hi List!
I think the Expert Info feature that I've
added a while ago should be
used more widely :-)
In the last
days I've added the "Expert Info" feature to the User's
Guide, so users
have a chance to know how to use it.
I've also changed the Wiki's
ExpertInfo Developer page, it's more of a
"How To add expert infos to a
dissector" now - before it was a bit
outdated proposal / collecting
ideas page.
As I'm using the EI for a quite a while now and I
really find it
invaluable to get a "quick overview" of that file. In the
PROFINET
dissectors for example, I've added "PI_UNDECODED" EI's at all
places
where the current dissection is incomplete or where stuff is
marked
"Reserved" in the specs. If I get a new capture file, I just open
the EI
composite to have a quick look if anything in the dissection is
missing
and needs to be implemented / checked. This is *much* faster
than
scanning the packets manually and already saved me a lot of
time.
If you're interested what the "Expert Infos" are and how to
use them in
the GUI, please read the User's Guide section
http://www.wireshark.org/docs/wsug_html_chunked/ChAdvExpert.html.
If
you're interested how to add "Expert Infos" to your dissector code,
please
read the ExpertInfo Wiki page
http://wiki.wireshark.org/Development/ExpertInfo.
I
can only suggest other developers to add more expert infos to
their
dissectors, this will probably be very helpful for both developers
and
users ...
Regards, ULFL
P.S: Any suggestions
about the User Guide and Wiki page text or the EI
feature itself is welcome
...
_______________________________________________
Wireshark-dev
mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev