On Apr 9, 2017, at 10:37 PM, Paul Offord <Paul.Offord@xxxxxxxxxxxx> wrote:
> Ah that was going to be my next question :-)
>
> Any ideas?
Given that there are no such APIs, one would have to be added and, if we're going to be adding APIs, an API by which a post-dissector can specify that, at least on the first pass through the packets, it requires a protocol tree would be better, as it wouldn't encourage people to write code that works only in Wireshark but not in TShark. (The only such code should be taps with a GUI. Even the taps that produce tables of information shouldn't be program-dependent - there should be a layer that shows the table in text form in TShark and as a table window in Wireshark.)
So would you need the full protocol tree *every* time the packet is dissected, or just the *first* time (meaning you'd save the results of the first-pass processing and not require it later)?