On Jun 8, 2018, at 10:10 AM, Paul Offord <[email protected]> wrote:
> proto_register_diameter(void) contains:
>
> /* Delay registration of Diameter fields */
> proto_register_prefix("diameter", register_diameter_fields);
>
> I wasn’t aware of this function.
It might not help in your case.
What it *does* support is "lazy" registration of fields, where the field
registration is delayed until a field with a given prefix needs to be used
(e.g., in a custom column or in a packet-matching expression). The callback
specified as the second argument to proto_register_prefix() is called in that
case.
This lets you use Diameter fields in custom columns, read filters, and coloring
rules.
This works for Diameter because the only reason to delay registering Diameter
fields is that it's time-consuming - it has to read the entire Diameter
dictionary and process it.
In your case, where the file *itself* contains information that's used to
define fields, there's no callback you can supply.
In order to allow your fields to be used in custom columns, read filters, and
coloring rules, you will have to
1) require that *all* TDBs in a pcapng file section appear before *any*
block type that *might* (not *will*, but *might*), have a custom column, be
affected by a coloring rule, be filtered by a display filter, or be discarded
by a read filter - this presumably includes all packet blocks and TRBs;
2) arrange that there be a phase in the capture-file reading process
that comes *after* the file is opened but *before* the main record-reading loop
occurs, and *before* the custom columns, read filter, and coloring rules are
used.
This will require a significant API change in libwiretap and significant
changes to the file reading process in programs that use it, so this will only
work in Wireshark 3.0.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
