Re: Info column with multiple PDUs in one frame

[Jeff Morriss <jeff.morriss.ws () gmail com>]

On Wed, Oct 25, 2017 at 12:08 PM, Thomas Wiens <th.wiens () gmx de> wrote:

> Hi,
>
> is there a common way or best practice of how to add information to the
> info column, when there are multiple independent PDUs inside a frame
> possible?
>
> Currently I'm first cleaning out the info column with:
> col_clear(pinfo->cinfo, COL_INFO);
>
> But at the protocol I'm working on (s7comm), it's possible to have
> multiple PDUs inside one frame.
> So if you only look at the info column, you'd think there is only one
> PDU in this frame (see attachement s7comm-multi-pdu.png), which I think
> is not the best way to do this.
>
> But, if it's a TCP reassembled frame, then clearing the info column
> seems not to work.
> In this case the info-additions from both PDUs are shown (see
> attachement s7comm-multi-pdu-with-tcp-reassembling.png).
>
> Is there a way to detect if the info column has entries from my
> protocol, and then instead of wiping the column out, attaching "/" or
> anything like that?


Typically how multiple PDUs are handled is by setting a "fence" in the INFO
column.  Calling col_clear() only clears as far back as the fence; this
allows upper-layer dissectors to clear what the lower-layer dissector(s)
put in the INFO column--but only for the current PDU.

This is how SCTP-based protocols show multiple (bundled) PDUs in the INFO
column.  Check out the call to col_set_fence() in the SCTP dissector.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe