On Dec 25, 2011, at 1:50 AM, Andriy Beregovenko wrote:
> Hi Andreas,
>
> On Sun, Dec 25, 2011 at 06:35:42AM +0100, Andreas wrote:
>>
>> Wireshark passes all packets in order to the dissector, when the
>> capture is loaded. After this the dissector will get the packets in
>> arbitrary order.
>
> No. If you do not belive me - test :)
No. If you do not believe me, read the code - or write some of it, as I did :).
> Wireshark not pass all packets to dissector while loading dump.
Yes, it does. See cf_read() in file.c, which is the routine that reads in a capture file. There's a loop that does
while ((wtap_read(cf->wth, &err, &err_info, &data_offset))) {
update the progress bar;
read_packet();
}
where read_packet() in file.c:
if there's a read filter, dissects the packet and checks whether the read filter matches;
if the read filter matches *OR* if there's no read filter to match, calls add_packet_to_packet_list();
and add_packet_to_packet_list() in file.c also dissects the packet.
What Wireshark does *NOT* do is pass a non-null protocol tree pointer to the dissector when loading a capture file; any code that must be run on every packet when the capture file is run in must *NOT* be inside an
if (tree) {
...
}
block.