Wireshark-dev: Re: [Wireshark-dev] Re : dissector_add(tcp.proto... / where to find parameter fo

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 23 Apr 2009 10:49:16 -0700

On Apr 23, 2009, at 8:16 AM, yvanmmailbox-web@xxxxxxxx wrote:

I'm almost a beginner so maybe I'm wrong, but here is what I suppose:
udp.proto doesn't exists; if you want to dissect all frames that contain udp protocol, you should use:
dissector_add("ip.proto", 0x11, red_handle)
but in this case you lose the UDP dissection (and your dissection will be eth:ip:red) and maybe create conflict (I think it can works if you disable the UDP protocol in WS). The parameter you give in "dissector_add" should be an expression associated with a hf_field in the lower dissector

No.

The parameter you give in dissector_add() should be the name of a dissector table; the *ONLY* dissector table for UDP is named "udp.port". (Giving dissector tables that correspond to a particular protocol field the same name as the field was an obvious choice, but it *can* confuse people into thinking you can use arbitrary fields in dissector_add() calls.)

So, no, you can't use "udp.length" as a field name.