I was able to do this at least for now (thanks Anders).

    if (tree != NULL) {
        GPtrArray *items = proto_all_finfos(tree);
        if (items) {
            guint i;
            /* TODO: if get past "frame" entries, not going to be
found, so break. */
            for (i=0; i< items->len; i++) {
                field_info *field = (field_info *)g_ptr_array_index(items,i);
                if (strcmp(field->hfinfo->abbrev, "frame.comment") == 0) {
                    value = field->value.value.string;

On Mon, Oct 17, 2016 at 3:33 PM, Martin Mathieson
<martin.r.mathie...@googlemail.com> wrote:
> Hi,
> I am trying to read the per-packet (user) comment in a post-dissector.
> Calling epan_get_user_comment(pinfo->epan, pinfo->fd) doesn't work -
> it the epan_session callback for get_user_comment() is set to NULL.
> The callback that is set in places where the comment is available uses
> ws_get_user_comment() as its callback, which looks up a hash table in
> the capture_file struct.
> I need to leave this for now, but if anyone happens to have looked
> into this before I'd be grateful to hear about it.
> Best regards,
> Martin
> P.S. This may be a hacky thing to want to do, but my motivation is to
> at least demo being able to show Snort alerts this week by reading the
> comment (attached by TraceWrangler) rather than running Snort from
> within the post-dissector
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev

Reply via email to