Re: Dissector for stream data

[Guy Harris <guy () alum mit edu>]

On Dec 25, 2011, at 1:50 AM, Andriy Beregovenko wrote:

> Hi Andreas,
>
> On Sun, Dec 25, 2011 at 06:35:42AM +0100, Andreas wrote:
> > Wireshark passes all packets in order to the dissector, when the
> > capture is loaded. After this the dissector will get the packets in
> > arbitrary order.
>
> No. If you do not belive me - test :)

No.  If you do not believe me, read the code - or write some of it, as I did :).

> Wireshark not pass all packets to dissector while loading dump.

Yes, it does.  See cf_read() in file.c, which is the routine that reads in a capture file.  There's a loop that does

        while ((wtap_read(cf->wth, &err, &err_info, &data_offset))) { 
                update the progress bar;
                read_packet();
        }

where read_packet() in file.c:

        if there's a read filter, dissects the packet and checks whether the read filter matches;

        if the read filter matches *OR* if there's no read filter to match, calls add_packet_to_packet_list();

and add_packet_to_packet_list() in file.c also dissects the packet.

What Wireshark does *NOT* do is pass a non-null protocol tree pointer to the dissector when loading a capture file; any 
code that must be run on every packet when the capture file is run in must *NOT* be inside an

        if (tree) {
                ...
        }

block.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe