On Apr 23, 2009, at 8:16 AM, [email protected] wrote: > I'm almost a beginner so maybe I'm wrong, but here is what I suppose: > udp.proto doesn't exists; if you want to dissect all frames that > contain udp protocol, you should use: > dissector_add("ip.proto", 0x11, red_handle) > but in this case you lose the UDP dissection (and your dissection > will be eth:ip:red) and maybe create conflict (I think it can works > if you disable the UDP protocol in WS). > The parameter you give in "dissector_add" should be an expression > associated with a hf_field in the lower dissector
No. The parameter you give in dissector_add() should be the name of a dissector table; the *ONLY* dissector table for UDP is named "udp.port". (Giving dissector tables that correspond to a particular protocol field the same name as the field was an obvious choice, but it *can* confuse people into thinking you can use arbitrary fields in dissector_add() calls.) So, no, you can't use "udp.length" as a field name. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
