On 11/22/2011 6:19 PM, Kenny Ho wrote:
Hi,
I am writing my first dissector and it needs to dissect a packet base
on some information in previous packets. The protocol also allows
multiple of these stream mux together. What is the best way to
create a stateful dissector? From the dev guide, I notice there are
two different mechanisms that is "stateful" - the tap and the
"conversation". From what I can tell, tap seems to be for
post-processing of stats only. So is the "conversation" mechanism
the best way to implement a stateful dissector?
Yes: In addition to the dev guide, see doc/README.developer.
Did I miss any some other mechanism?
Note that it's possible (but less desirable due to memory usage) to store
"per-packet" state info (see README.developer section 2.5).