>Message: 1
>Date: Sat, 16 Sep 2017 13:38:31 +0100
>From: Peter Wu <[email protected]>
>To: John Dill <[email protected]>,
> "[email protected]" <[email protected]>
>Subject: Re: [Wireshark-dev] causes for losing COL_PROTOCOL or
> COL_INFO data
>Message-ID: <[email protected]>
>Content-Type: text/plain; charset=utf-8
>
>Hi John,
>
>Are your col_* functions guarded/affected by a check like if(tree) or do they
>depend on pinfo->fd.visited? Are the affected frames >triggering reassembly or
>exceptions?
Part of it is. I have a udp heuristic dissector that has a section that's kind
of like this. I have to be careful with actual content, so here is pseudo-code
skeletal structure.
gboolean
dissect_protocol_udp_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
void *data)
{
...
data_class = tvb_get_guint8(tvb, offset);
if (data_class in list of recognized values)
{
col_add_str(pinfo->cinfo, COL_INFO, val_to_str(data_class,
data_class_enum_vals, "Unknown"); /*this always works*/
...
if (tree)
{
if (data_class == XXX) {
dissect_xxx(tvb, pinfo, offset, tree);
}
if (data_class == YYY) {
...
}
...
}
...
}
}
And the COL_INFO that gets lost is in the dissect_xxx function, which has
several col_append functions used. It gets lost after using a filter
expression and I never get it back after that.
I've noticed this 'if (tree)' issue in a couple of the searches I've done
attributed to this problem, but I don't quite understand the impact it has on
dissection and populating the COL_INFO and friends column. Any explanation or
pointer to how this interaction works would be greatly appreciated.
Best regards,
John Dill
P.S. Thanks to Michael for the follow up too.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
