Wireshark-dev: Re: [Wireshark-dev] Info column with multiple PDUs in one frame

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Wed, 25 Oct 2017 12:36:10 -0400


On Wed, Oct 25, 2017 at 12:08 PM, Thomas Wiens <th.wiens@xxxxxx> wrote:
Hi,

is there a common way or best practice of how to add information to the
info column, when there are multiple independent PDUs inside a frame
possible?

Currently I'm first cleaning out the info column with:
col_clear(pinfo->cinfo, COL_INFO);

But at the protocol I'm working on (s7comm), it's possible to have
multiple PDUs inside one frame.
So if you only look at the info column, you'd think there is only one
PDU in this frame (see attachement s7comm-multi-pdu.png), which I think
is not the best way to do this.

But, if it's a TCP reassembled frame, then clearing the info column
seems not to work.
In this case the info-additions from both PDUs are shown (see
attachement s7comm-multi-pdu-with-tcp-reassembling.png).

Is there a way to detect if the info column has entries from my
protocol, and then instead of wiping the column out, attaching "/" or
anything like that?

Typically how multiple PDUs are handled is by setting a "fence" in the INFO column.  Calling col_clear() only clears as far back as the fence; this allows upper-layer dissectors to clear what the lower-layer dissector(s) put in the INFO column--but only for the current PDU.

This is how SCTP-based protocols show multiple (bundled) PDUs in the INFO column.  Check out the call to col_set_fence() in the SCTP dissector.