Wireshark mailing list archives

Re: pinfo->fd->flags.visited for wireshark c dissector

From: Pascal Quantin <pascal.quantin () gmail com>
Date: Wed, 6 Jan 2016 18:48:01 +0100

2016-01-06 8:30 GMT+01:00 Ran Bao <worksev () gmail com>:

Hi

I am currently implementing a dissector plugin for a DMR conventional and
trunked protocols. Three layers of protocols were involved. Messages was
send to a specific UDP port on server.



UDP port -> Company specified protocol -> DMR Layer 2 Protocols -> DMR
Layer 3 Protocols.



Raw messages are processed or reassembled and delivered to higher layer
sub dissectors for further analysis. Some DMRL2 PDUs are required to be
reassembled into a large message. Due to the limitation of DMRL2 PDUs, many
message bursts do not contain fragmentation number or stop bit. The DMRL2
dissector heavily relies on the receiving order of fragments. I used
fragment_add_seq_next() function to add each fragments into hash tables.



However, I noticed that the value of pinfo->fd->flags.visited was
initialized with 0, so that each fragments are only added once, when
opening *.pcapng file with filter applied. If there is no filter specified
before opening *.pcapng file, either using Open or Open from recent,  the
pinfo->fd->flags.visited for each PDUs were set to 1 initially. Hence no
fragment was reassembled.



It turned out that the user have to provide some filter before capturing
or reading from file in order to assemble these PDUs. Is that the feature
that Wireshark was designed? Is there any method to reset visited flag for
each PDUs?


Hi Ran,

what you report is very surprising. pinfo->fd->flags.visited is set to 0
the very first time a packet is read (first pass), whether a display filter
is set or not. Then all subsequent decoding of the packet has the flag set.
This can be double checked by putting a breakpoint in dissect_frame
function() for example.
Are you sure you do not have some code preventing your dissector from being
called on first pass?

Regards,
Pascal.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

pinfo->fd->flags.visited for wireshark c dissector Ran Bao (Jan 06)
- Re: pinfo->fd->flags.visited for wireshark c dissector Pascal Quantin (Jan 06)
  - Re: pinfo->fd->flags.visited for wireshark c dissector Jeff Morriss (Jan 06)
    - Re: pinfo->fd->flags.visited for wireshark c dissector Jaap Keuter (Jan 06)
    - Re: pinfo->fd->flags.visited for wireshark c dissector Ran Bao (Jan 06)