Re: [Wireshark-dev] Calling chained dissector only once and modifying payload for further processing

[Jeswin Mathai]

Hi Peter,

Thanks for the reply, and Yes I'm storing the modified payload in a table.
and fetching it whenever the dissector is called again. I was little
worried about memory consumption since maintaining a table for 100k packets
sounds a little heavy. and thought there was some other alternative rather
than storing it. But after going through ssl dissector, Wireshark does it
in a similar manner.

Regards
Jeswin

On Sat, Apr 14, 2018 at 2:04 PM Peter Wu  wrote:

> Hi Jeswin,
>
> On Thu, Apr 12, 2018 at 12:45:21PM +, Jeswin Mathai wrote:
> > want to modify payload of a packet before it is processed by its desired
> > dissector. I've written a chained dissector in lua, which modifies the
> tvb
> > and then calls the next dissector with the modified tvb. The plugins is
> > working correctly. The issue I'm facing is that the dissector is called
> > every time, upon applying filter or opening the io graph, which makes it
> > slower. I can call my dissector only once by checking the value of
> > pinfo.visited. But doing so the payload is not modified and the desired
> > dissector processes the original payload after the first run. I'm looking
> > for a solution so that my dissector is called only onces, which will
> > processes and modifies the payload on the first run. The modified payload
> > should persist so that whenever the packet is visited again(by applying
> > filters or IO graph or Endpoints) the desired dissector would process the
> > modifed payload rather than the original one
>
> Do you have some sample code that shows the operations you are
> performing? Perhaps there is room for optimization.
>
> If memory usage is not a concern, you could store the processed data in
> a table (keyed by pinfo.number) and refer to it on the second pass. Be
> sure to clear this table when the proto.init callback is invoked (where
> proto is your Proto instance), this callback is executed every time a
> capture file is reloaded.
> --
> Kind regards,
> Peter Wu
> https://lekensteyn.nl
> ___
> Sent via:Wireshark-dev mailing list 
> Archives:https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>  mailto:wireshark-dev-requ...@wireshark.org
> ?subject=unsubscribe
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Calling chained dissector only once and modifying payload for further processing

[Peter Wu]

Hi Jeswin,

On Thu, Apr 12, 2018 at 12:45:21PM +, Jeswin Mathai wrote:
> want to modify payload of a packet before it is processed by its desired
> dissector. I've written a chained dissector in lua, which modifies the tvb
> and then calls the next dissector with the modified tvb. The plugins is
> working correctly. The issue I'm facing is that the dissector is called
> every time, upon applying filter or opening the io graph, which makes it
> slower. I can call my dissector only once by checking the value of
> pinfo.visited. But doing so the payload is not modified and the desired
> dissector processes the original payload after the first run. I'm looking
> for a solution so that my dissector is called only onces, which will
> processes and modifies the payload on the first run. The modified payload
> should persist so that whenever the packet is visited again(by applying
> filters or IO graph or Endpoints) the desired dissector would process the
> modifed payload rather than the original one

Do you have some sample code that shows the operations you are
performing? Perhaps there is room for optimization.

If memory usage is not a concern, you could store the processed data in
a table (keyed by pinfo.number) and refer to it on the second pass. Be
sure to clear this table when the proto.init callback is invoked (where
proto is your Proto instance), this callback is executed every time a
capture file is reloaded.
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe