Wireshark-dev: Re: [Wireshark-dev] Dissector for stream data

From: Andriy Beregovenko <jet@xxxxxxxxxxx>
Date: Sun, 25 Dec 2011 11:50:31 +0200
Hi Andreas,

On Sun, Dec 25, 2011 at 06:35:42AM +0100, Andreas wrote:
> Am 24.12.2011 14:16, schrieb Andriy Beregovenko:
> >If I open dump, select frame, and push 'END' I move to end of dump.
> >At this time all frames between first few frames and few last frames, not
> >decoded, so I can't correct decode last frame.
> >Question is: how I can walk through all frames that will be passed to
> >dissector if we look frames one-by-one?
> Wireshark passes all packets in order to the dissector, when the
> capture is loaded. After this the dissector will get the packets in
> arbitrary order.
No. If you do not belive me - test :)
Wireshark not pass all packets to dissector while loading dump.
But, it pass first N packets to it, that needs to be displayed (after load).
And then it pass to dissector each packet, that will be displayed in packet
list part of window.
For example, we have dump with 100 packets inside. And wi have height of
display window about 10 packets(i mean w/o scroll). So when we loading dump,
will be passed 10 packets to dissector, from 1 to 10. Now, if we push
'End'-key on keyboard, then packet list window jump to display packets from
90 to 100. Also packets from 10 to 90 will not pass to dissector. so we got
next seq: 1-10,90-100.
 
> The dissector can distinguish between both calls (see
> PINFO_FD_VISITED macro) and build conversation information in the
> first phase.
> 
> Andy
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

-- 
Best regards,
Andriy
0xBDDBDAE3

Attachment: signature.asc
Description: Digital signature