On Wed, Dec 08, 2010 at 12:29:40PM +0530, Vishal Kumar Singh wrote:
> In wireshark, I am trying to decode a packet by taking its information
> from the last decoded packet (Control packet and Data Packet). In the
> first time, few data packet takes wrong information and, decodes the
> packet accordingly. When I mark the faulty packet and clear the
> filter, the decoding of faulty packet becomes good. What should be the
> reason behind this? Please, help me out.
Although Wireshark dissects the packets in order when first opening a
capture or performing a capture, it may re-dissect packets after that in
no particular order.
The best solution is to keep track of the information from previous
packets only on the first pass and store the data on a per-conversation
and per-packet basis. See README.developer in the doc directory for
more information (look at sections 2.2 Following conversations and 2.5
Per-packet information). You can either check to see if the data has
already been stored in these structures when you (re-)dissect a packet
or check the boolean value pinfo->fd->flags.visited (TRUE or FALSE) to
see if that packet has already been dissected.
There are numerous examples, but the one that I worked on comes to mind
which is packet-vnc.c.