Wireshark-dev: Re: [Wireshark-dev] Incorrect decoding at first time, then filtering at the seco

From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
Date: Wed, 8 Dec 2010 09:14:08 -0700
On Wed, Dec 08, 2010 at 12:29:40PM +0530, Vishal Kumar Singh wrote:

> In wireshark, I am trying to decode a packet by taking its information 
> from the last decoded packet (Control packet and Data Packet). In the 
> first time, few data packet takes wrong information and, decodes the 
> packet accordingly. When I mark the faulty packet and clear the 
> filter, the decoding of faulty packet becomes good. What should be the 
> reason behind this? Please, help me out.

Although Wireshark dissects the packets in order when first opening a 
capture or performing a capture, it may re-dissect packets after that in 
no particular order.

The best solution is to keep track of the information from previous 
packets only on the first pass and store the data on a per-conversation 
and per-packet basis.  See README.developer in the doc directory for 
more information (look at sections 2.2 Following conversations and 2.5 
Per-packet information).  You can either check to see if the data has 
already been stored in these structures when you (re-)dissect a packet 
or check the boolean value pinfo->fd->flags.visited (TRUE or FALSE) to 
see if that packet has already been dissected.

There are numerous examples, but the one that I worked on comes to mind 
which is packet-vnc.c.