Wireshark-dev: Re: [Wireshark-dev] Getting ACK/SEQ numbers in a dissector

From: "Greg Sinclair" <gssincla@xxxxxxxxxxxxxxx>
Date: Tue, 25 Mar 2008 08:53:38 -0500
Bummer. 

Well, in that case, is there a way in Wireshark to keep track of packets
that have already been processed (since they seem to get processed
twice..once for INFO and one for tree)? The problem I'm facing is that I
have a set of static indexes into an encryption array. The first time
it's called (to do the INFO column) everything is fine. The second time
it's called (to do the tree) the dissector has no way of knowing the
original position in the data stream so the indexes no longer line up
and the data is corrupted. That's why I wanted to use the sequence
numbers since they'd provide a constant index. I guess I'm having
problems with the seemingly stateless nature of the dissectors. Any
suggestions around this would be appreciated.

greg.



-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Tuesday, March 25, 2008 1:24 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Getting ACK/SEQ numbers in a dissector

Greg Sinclair wrote:

> Its the <sequence number..> part I need help filling in. Can someone 
> help me figure out how to do this in a regular dissector function? And

> to make matters worse, I'd need the relative sequence number instead 
> of the absolute sequence number.

There's no guarantee that you have the initial 3-way handshake in a
capture, so there's no guarantee that you *can* have the relative
sequence number.

Currently, I don't think there's any way to get the relative sequence
number even if it *is* known, and there's definitely no way to determine
whether it's known.
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev