This is done by design. Wireshark uses a 2-stage dissection to be able to
stuff like the cross-reference of request/response relationships or
reassembly. As you cannot do this without starting the dissection we need
to go over every packet.
There is no way to avoid that, your dissector should not be build in a way
that it may lead to issues. And normally it also should not run into any
issues.
Also, just as a headsup, there is a difference between reported length and
remaining length. Reported does not necessarily give you the complete
packet but may be larger as the actual bytes. Remaining counts the bytes
remaining inside the frame.
I am also not sure if directly dissecting the pdus is such a good idea
here. You should not need it to get the length back. Rather the dissecting
method should return the remaining bytes and you can remove that from the
length reported.
It might be a good idea to read through our documentation about the various
lengths and the repercussions again.
cheers
Roland
Am Do., 22. Mai 2025 um 17:22 Uhr schrieb Yaniv Kaul via Wireshark-dev <
wireshark-dev@wireshark.org>:
> I have some issue with the dissector going over my packets more than once.
> There's a legitimate reason to go over *some* packets more than once - if
> I have more than a single PDU in a packet (or a reassembled one), that's
> fine. But it just seems that it goes over all packets. I'm trying to fight
> it off with !pinfo->fd->visited, but I'm quite sure I'm doing
> something wrong. My code is quite standard:
> static int
> dissect_scylla(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void*
> data)
> {
> tcp_dissect_pdus(tvb, pinfo, tree, scylla_desegment,
> SCYLLA_NEGOTIATION_SIZE,
> get_scylla_pdu_len, dissect_scylla_pdu, data);
> return tvb_reported_length(tvb);
> }
>
> The get_scylla_pdu_len isn't, regretfully - it does find_conversation()
> and if it exists uses it (to get the state of protocol features, such as
> streaming, compression, etc.)
>
> TIA,
> Y.
> _______________________________________________
> Wireshark-dev mailing list -- wireshark-dev@wireshark.org
> To unsubscribe send an email to wireshark-dev-le...@wireshark.org
>
_______________________________________________
Wireshark-dev mailing list -- wireshark-dev@wireshark.org
To unsubscribe send an email to wireshark-dev-le...@wireshark.org
