Wireshark-dev: [Wireshark-dev] Re: Packet visited more than once?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: John Thacker <johnthacker@xxxxxxxxx>
Date: Thu, 22 May 2025 15:26:16 -0400
On Thu, May 22, 2025 at 2:55 PM Yaniv Kaul via Wireshark-dev <wireshark-dev@xxxxxxxxxxxxx> wrote:


On Thu, 22 May 2025, 21:20 John Thacker, <johnthacker@xxxxxxxxx> wrote:
I don't understand what you mean. How would you do that? If you mean something like on the same pass through all the frames, then the TCP dissector will call your dissector with a tvbuff starting at the next offset to dissect, after all the PDUs you have dissected. If you mean on an entirely different pass through the frames (or after clicking on a different frame in the GUI), I don't understand what you mean.

I guess I need to re-read other dissectors, as I stumble to get it right. I need a state machine for my dissector, which I can easily keep in a conversation. But without re-running it as wireshark goes again dissecting the PDUs.
First packet, client to server. Great, set up conversation, save a bit of state. Server responds - we advance the state, save some more properties (which compression we've agreed upon, etc.) Now dissect more packets... And then we are suddenly back to the first client to server negotiation packet, but now there is already an existing conversation (and state), but it doesn't match - first packet is not compressed, for example. Perhaps I need to reset the state. 

I'll need to give it some more thought. 
Thanks for your response.

You cannot in general save state-like information in a conversation (or in a global variable) and expect the packets to be processed sequentially any time other than the first pass. Packets can and will be dissected out of order when a user clicks around on the GUI. To deal with state machine like information, there are generally two options:

1. Store the state information at the point of entering a packet in packet level proto data (see epan/proto_data.h, p_add_proto_data) in the first pass and retrieve it from there on subsequent passes.
2. Store state transitions in a wmem_tree or similar in the conversation, and look up the state via packet number in the tree.

There are examples of both approaches in dissectors in the repository.

John