This is done by design. Wireshark uses a 2-stage dissection to be able to stuff like the cross-reference of request/response relationships or reassembly. As you cannot do this without starting the dissection we need to go over every packet.
There is no way to avoid that, your dissector should not be build in a way that it may lead to issues. And normally it also should not run into any issues.
Also, just as a headsup, there is a difference between reported length and remaining length. Reported does not necessarily give you the complete packet but may be larger as the actual bytes. Remaining counts the bytes remaining inside the frame.
I am also not sure if directly dissecting the pdus is such a good idea here. You should not need it to get the length back. Rather the dissecting method should return the remaining bytes and you can remove that from the length reported.
It might be a good idea to read through our documentation about the various lengths and the repercussions again.
cheers
Roland
I have some issue with the dissector going over my packets more than once.
There's a legitimate reason to go over *some* packets more than once - if I have more than a single PDU in a packet (or a reassembled one), that's fine. But it just seems that it goes over all packets. I'm trying to fight it off with !pinfo->fd->visited, but I'm quite sure I'm doing something wrong. My code is quite standard:
static int
dissect_scylla(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
{
tcp_dissect_pdus(tvb, pinfo, tree, scylla_desegment, SCYLLA_NEGOTIATION_SIZE,
get_scylla_pdu_len, dissect_scylla_pdu, data);
return tvb_reported_length(tvb);
}
The get_scylla_pdu_len isn't, regretfully - it does find_conversation() and if it exists uses it (to get the state of protocol features, such as streaming, compression, etc.)
TIA,
Y.
Wireshark-dev mailing list -- wireshark-dev@xxxxxxxxxxxxx
To unsubscribe send an email to wireshark-dev-leave@xxxxxxxxxxxxx