Wireshark-dev: Re: [Wireshark-dev] Lua script reads every packet twice

From: Jerry White <jerrywhite518@xxxxxxxxx>
Date: Wed, 5 Jun 2019 15:25:28 -0700
Guy and Pascal,

Thanks very much! 

Jerry


On Wed, Jun 5, 2019 at 12:52 PM Guy Harris <guy@xxxxxxxxxxxx> wrote:
On Jun 5, 2019, at 12:34 PM, Jerry White <jerrywhite518@xxxxxxxxx> wrote:

> Please forgive for such a basic question. I noticed that my lua dissector processes a trace file twice.

*Wireshark* can process packets more than once; we will never guarantee that a dissector will see a packet only once.

Even *TShark* can do so if run with the -2 flag.

So you will need to make sure your dissector can handle this.

> To isolate the issue I have removed nearly all my business code

A dissector should

        1) set columns for the packet as appropriate;

        2) build a protocol tree of fields in the packet;

        3) build, on the first pass, any data structures needed when redissecting - on the first pass, packets are processed in order, but packets may be handed to the dissector in random order after that, so if the dissection of packet N depends on the contents of packet M, for M < N, you'll need to remember whatever information allows you to dissect packet N in the future, even if packet M isn't dissected again first.

It should *not* report any statistics or other analysis information.  It may calculate and save that information, on the first pass, but it shouldn't report it; reporting that information should be done by taps - see

        https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=doc/README.tapping;hb=HEAD

(or the doc/README.tapping file in the source tree)

If your dissector needs to do something only on the first pass, it needs to check the packet's "visited" flag; see

        https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Pinfo.html#lua_class_Pinfo

for information on how to do that from Lua code.

So if your business code is doing any reporting of statistics, or other information that's not in the "a dissector should" list above, it needs to be done outside the dissector.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe