Wireshark-dev: Re: [Wireshark-dev] Detecting capture file load finished in a C plugin

From: Paul Offord <Paul.Offord@xxxxxxxxxxxx>
Date: Sun, 20 Dec 2015 11:58:08 +0000
OK - thanks.

I'll check again the business about the dissector being called twice during a capture file load (actually I've written a postdissector) in case there isn't a bug.  I've written a LUA postdissector in the past and I know that it gets called twice for every frame; once with visited false and then in a second cycle through the frames with visited set to true.

Best regards...Paul

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: 18 December 2015 18:59
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-dev] Detecting capture file load finished in a C plugin


On Dec 18, 2015, at 10:41 AM, Paul Offord <Paul.Offord@xxxxxxxxxxxx> wrote:

> I’m writing a Custom C Plugin.  As a capture file is loaded, the callback dissect_plugin

I.e., the plugin is a dissector, rather than a handler for a type of capture file, or a statistical tap?

(Yes, there's more than one type of plugin supported.)

> is called for every packet loaded twice over.

That's probably a bug - one time should suffice when doing the initial read of the file - *BUT*:

	in TShark with the -2 flag, it will be called once for each packet in the second pass;

	in Wireshark, it will be called for packets when they're displayed, when they're selected, when a tap is run on them, etc.;

so your dissector *must* be capable of handling being called multiple times - no exceptions.

>  Is there a way I can detect the completion of the load of the capture file?

If what you *really* need, in order to handle being called multiple times, is to know whether this is the first time the packet is being dissected, you can pass the pinfo pointer to the PINFO_FD_VISITED() macro, and if it returns "true", this is *not* the first time the packet is being dissected.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

______________________________________________________________________

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advance Seven Ltd. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

Advance Seven Ltd. Registered in England & Wales numbered 2373877 at Endeavour House, Coopers End Lane, Stansted, Essex CM24 1SJ

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________