I was able to do this at least for now (thanks Anders). if (tree != NULL) { GPtrArray *items = proto_all_finfos(tree); if (items) { guint i; /* TODO: if get past "frame" entries, not going to be found, so break. */ for (i=0; i< items->len; i++) { field_info *field = (field_info *)g_ptr_array_index(items,i); if (strcmp(field->hfinfo->abbrev, "frame.comment") == 0) { value = field->value.value.string; break; } } g_ptr_array_free(items,TRUE); } }
On Mon, Oct 17, 2016 at 3:33 PM, Martin Mathieson <martin.r.mathie...@googlemail.com> wrote: > Hi, > > I am trying to read the per-packet (user) comment in a post-dissector. > Calling epan_get_user_comment(pinfo->epan, pinfo->fd) doesn't work - > it the epan_session callback for get_user_comment() is set to NULL. > > The callback that is set in places where the comment is available uses > ws_get_user_comment() as its callback, which looks up a hash table in > the capture_file struct. > > I need to leave this for now, but if anyone happens to have looked > into this before I'd be grateful to hear about it. > > Best regards, > Martin > > P.S. This may be a hacky thing to want to do, but my motivation is to > at least demo being able to show Snort alerts this week by reading the > comment (attached by TraceWrangler) rather than running Snort from > within the post-dissector ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe