On Tue, Nov 23, 2010 at 12:20:26PM -0700, Stephen Fisher wrote:
> If you need to keep a running tab of what the last packet's value was,
> you can save the current packet's (from the correct direction) in the
> per conversation data and then replace it on every new packet you
> dissect so you always have the latest value. Per conversation is
> probably more often used to set certain values for later use though.
It would probably help to point out that the first time wireshark opens
a capture file (or does a live captuer), it dissects the packets in
sequential order. After that, there is no guarantee of the order in
which a user will click on packets (packets are re-dissected when a user
clicks on them.) Therefore, my suggestion of keeping a running tab
would only work on the first pass. This is where using per-conversation
and per-packet data comes in handy.