Wireshark-dev: Re: [Wireshark-dev] Ability to dynamically dissect in more detail?

From: John Thacker <johnthacker@xxxxxxxxx>
Date: Tue, 16 May 2023 21:15:30 -0400

On Tue, May 16, 2023 at 12:27 PM <jayrturner99@xxxxxxxxx> wrote:

I have a dissector. I dissect the content as delimited text. Sometimes the textual content has further meaning, but I only want to dissect it in further detail on a packet by packet basis and only if the user requests it on a specific packet.

 

The reason is that the detailed dissection requires extra information to be loaded and extra dissection processing. Is there any mechanism to expand a section only when requested?


There are lots of optimizations, many automatic and some a little more complicated to employ, that can mean not dissecting in detail fields for packets other than the singular packet currently selected and displayed in the Packet Details frame (with appropriate exceptions for, e.g., fields that are specifically being filtered.) You could certainly combine that with a preference that says "only dissect past here on a visible packet" with no problem.

For a visible packet, however, none of the optimizations apply and the entire dissection is performed (up to the limits implied by your hypothetical preference). There's some rendering on the Qt side that doesn't happen until the details are expanded, but the dissection itself is done.

Note that during full dissection, items in a subtree can add additional items as siblings to a parent or grandparent, or to the root of the tree (or even do more unusual things like change the visible text of a parent or grandparent, etc.), so a general ability to not dissect child items until a subtree were expanded could result in oddities. The optimizations to fake items in general deal with this correctly (an example of an exception: https://gitlab.com/wireshark/wireshark/-/issues/17877 - the Protocol Hierarchy stats don't deal well with protocols that change length after the items are added.)

John Thacker