>Thanks for replying.So to sum it up, we just use conversation of a protocol to store info related to the whole flow or conversation and we use
>p_add_proto_data for a specific packet related data that is stored in frame_data strucutre for each packet.When you said by combining them you mean
>we copy data which is not specific to the packet from conversation into pinfo using p_add_proto_data right?
>sorry for asking so many questions.I am trying hard to understand the flow clearly and found very few resources for learning these advanced dissector
>topics. :)
Well sort of, if you need information from previous packets you may store that in conversation data as the packets are dissected sequentially on the first pass
And use that info to fill in data needed by this packet, but that may only work if the packets arrive in sequence which is not guaranteed of course.
Note that any data stored per packet bloats Wiresharks memory footprint and should be used with care.
Regards
Anders