Wireshark mailing list archives
Re: New Dissector only applied to first packet
From: Jan Willamowius <jan () willamowius de>
Date: Fri, 2 Nov 2012 21:28:54 +0100
Guy Harris wrote:
On Nov 2, 2012, at 7:00 AM, Jan Willamowius <jan () willamowius de> wrote:I'm writing my first dissector based on the example in the Developers Guide and README.developer. I register my dissector for a certain port using dissector_add_uint("udp.port", FOO_PORT, handle); I notice that it only gets applied to the first packet that matches the port and I can't apply it to other packets, not even using "Decode As"."Only gets applied" meaning "you have a printf or are running it in the debugger and it's only being called for the first UDP packet being sent to or from port FOO_PORT" or "only gets applied" meaning "I only see the first UDP packet sent to or from port FOO_PORT having the dissector's information in the Protocol and Info columns and only see the dissector's information in the packet details pane when I click on the first such packet"?
I put a printf in and my dissector doesn't get called.
What do the other packets to or from that port show up as? Do they just show up as UDP, or are they showing up as some other protocol on top of UDP (and perhaps as a "malformed" packet for that protocol)? If the latter, there may be a heuristic dissector or dissectors that are claiming the packets; if the packets aren't for those dissectors' protocols, perhaps the dissectors need to have their heuristics strengthened.
It turns out that other packets in between are responsible for the dissector not being called for packets that come after them. If I mark those to be ignored in the GUI, my dissector is called for all matching packets and works fine. My dissector only handles UDP packets, but strangely the stop-packets are all TCP packets and I have verified that my dissector never even gets called for them. Any ideas ? Thanks, Jan -- Jan Willamowius, jan () willamowius de, http://www.gnugk.org/ ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- New Dissector only applied to first packet Jan Willamowius (Nov 02)
- Re: New Dissector only applied to first packet Guy Harris (Nov 02)
- Re: New Dissector only applied to first packet Jan Willamowius (Nov 02)
- Re: New Dissector only applied to first packet Guy Harris (Nov 02)
- Re: New Dissector only applied to first packet Jan Willamowius (Nov 02)
- Re: New Dissector only applied to first packet Guy Harris (Nov 04)
- Re: New Dissector only applied to first packet Jan Willamowius (Nov 05)
- Re: New Dissector only applied to first packet Anders Broman (Nov 06)
- Re: New Dissector only applied to first packet Jan Willamowius (Nov 06)
- Re: New Dissector only applied to first packet Anders Broman (Nov 07)
- Re: New Dissector only applied to first packet Jan Willamowius (Nov 02)
- Re: New Dissector only applied to first packet Guy Harris (Nov 02)