Wireshark-dev: Re: [Wireshark-dev] Volatile Read of Wireshark Frames

From: "FIXED-TERM Scholz Tobias (DC-IA/EAM6)" <fixed-term.Tobias.Scholz@xxxxxxxxxxxxxxx>
Date: Wed, 25 Feb 2015 14:14:03 +0000

Thanks for the hint with „ pinfo->fd->flags.visited”. This will help me to improve my code.

 

I implemented this variable to my dissector and watched the conduct of it. It reveals, that those flags, will not be reset (to FALSE), if I’m starting a new capture without booting Wireshark.

 

Is it possible to reset all those visited-flags of frames, which have already been dissected in the first capture, so that starting with a new capture the flags are all FALSE?

 

 

Von: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] Im Auftrag von Anders Broman
Gesendet: Mittwoch, 18. Februar 2015 11:05
An: Developer support list for Wireshark
Betreff: Re: [Wireshark-dev] Volatile Read of Wireshark Frames

 

 

 

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of FIXED-TERM Scholz Tobias (DC-IA/EAM6)
Sent: den 18 februari 2015 10:47
To: wireshark-dev@xxxxxxxxxxxxx
Subject: [Wireshark-dev] Volatile Read of Wireshark Frames

 

Hi,

 

at the moment I am improving an existing Wireshark dissector. For my improvement it is really necessary, that Wireshark processes the incoming frames in a row. This will be done perfectly, if I am starting a new capture.

 

But for the case, that I am stopping my current capture and starting it at a later point new without rebooting Wireshark, the frames are processed in a  arbitrary order. I can check this conduct, with an easy output message to the Debug Console:

printf(“ Frame %u\n “, pinfo->fd->num);

(As far as I know, “pinfo->fd->num” returns the frame number of the current processed frame.)

With this function, I was able to see, that Wireshark jumps between the incoming frames during a running capture. For Example one conduct:

 

Frame 1 -230 processed in a row à  Jump to Frame 1 again à  Frame 1 -26 processed in a row à Jump to Frame 64 à Jump to Frame 1 again à Jump to Frame 205 à next frames have been processed in a row…

I even didn’t click on any frame. I just started and stopped the capture again.

 

Therefore I wanted to ask, whether this behavior is known and a solution exists, or whether I can force Wireshark to strict process a special Frame with number “XYZ”? It would be nice, if someone could explain me this conduct of Wireshark, after starting the capture new without closing the program, so that maybe I am able to deal with that conduct on my own.

 

If it helps to improve comprehension of my problem, I can create a screenshot and share it.

 

Thanks in advance.

 

In general Wireshark reads all packets in sequential order on the first pass only, after that packets will be read as needed eg if you scroll or jump to a packet the now visible packets will be “redissected”

The dissection result is not kept in memory so re dissection is needed.

 

pinfo->fd->flags.visited is sued in dissectors to only do some stuff on the first sequential pass and then arrangements has to be made if the result needs to be “remembered”

Hope this helps.

 

Regards

Anders