Re: Detecting capture file load finished in a C plugin

[Paul Offord <Paul.Offord () advance7 com>]

OK - thanks.

I'll check again the business about the dissector being called twice during a capture file load (actually I've written 
a postdissector) in case there isn't a bug.  I've written a LUA postdissector in the past and I know that it gets 
called twice for every frame; once with visited false and then in a second cycle through the frames with visited set to 
true.

Best regards...Paul

-----Original Message-----
From: wireshark-dev-bounces () wireshark org [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Guy Harris
Sent: 18 December 2015 18:59
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev] Detecting capture file load finished in a C plugin


On Dec 18, 2015, at 10:41 AM, Paul Offord <Paul.Offord () advance7 com> wrote:

> I’m writing a Custom C Plugin.  As a capture file is loaded, the callback dissect_plugin

I.e., the plugin is a dissector, rather than a handler for a type of capture file, or a statistical tap?

(Yes, there's more than one type of plugin supported.)

> is called for every packet loaded twice over.

That's probably a bug - one time should suffice when doing the initial read of the file - *BUT*:

        in TShark with the -2 flag, it will be called once for each packet in the second pass;

        in Wireshark, it will be called for packets when they're displayed, when they're selected, when a tap is run on 
them, etc.;

so your dissector *must* be capable of handling being called multiple times - no exceptions.

>  Is there a way I can detect the completion of the load of the capture file?

If what you *really* need, in order to handle being called multiple times, is to know whether this is the first time 
the packet is being dissected, you can pass the pinfo pointer to the PINFO_FD_VISITED() macro, and if it returns 
"true", this is *not* the first time the packet is being dissected.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

______________________________________________________________________

This message contains confidential information and is intended only for the individual named. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if 
you have received this e-mail by mistake and delete this e-mail from your system.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advance Seven 
Ltd. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, 
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept 
liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

Advance Seven Ltd. Registered in England & Wales numbered 2373877 at Endeavour House, Coopers End Lane, Stansted, Essex 
CM24 1SJ

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe