Wireshark mailing list archives
Re: causes for losing COL_PROTOCOL or COL_INFO data
From: John Dill <John.Dill () greenfieldeng com>
Date: Mon, 18 Sep 2017 15:52:30 +0000
Message: 1 Date: Sat, 16 Sep 2017 13:38:31 +0100 From: Peter Wu <peter () lekensteyn nl> To: John Dill <John.Dill () greenfieldeng com>, "wireshark-dev () wireshark org" <wireshark-dev () wireshark org> Subject: Re: [Wireshark-dev] causes for losing COL_PROTOCOL or COL_INFO data Message-ID: <288553DC-6272-4581-A5E5-15B933BE7178 () lekensteyn nl> Content-Type: text/plain; charset=utf-8 Hi John, Are your col_* functions guarded/affected by a check like if(tree) or do they depend on pinfo->fd.visited? Are the affected frames >triggering reassembly or exceptions?
Part of it is. I have a udp heuristic dissector that has a section that's kind of like this. I have to be careful with actual content, so here is pseudo-code skeletal structure. gboolean dissect_protocol_udp_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) { ... data_class = tvb_get_guint8(tvb, offset); if (data_class in list of recognized values) { col_add_str(pinfo->cinfo, COL_INFO, val_to_str(data_class, data_class_enum_vals, "Unknown"); /*this always works*/ ... if (tree) { if (data_class == XXX) { dissect_xxx(tvb, pinfo, offset, tree); } if (data_class == YYY) { ... } ... } ... } } And the COL_INFO that gets lost is in the dissect_xxx function, which has several col_append functions used. It gets lost after using a filter expression and I never get it back after that. I've noticed this 'if (tree)' issue in a couple of the searches I've done attributed to this problem, but I don't quite understand the impact it has on dissection and populating the COL_INFO and friends column. Any explanation or pointer to how this interaction works would be greatly appreciated. Best regards, John Dill P.S. Thanks to Michael for the follow up too. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- causes for losing COL_PROTOCOL or COL_INFO data John Dill (Sep 15)
- Re: causes for losing COL_PROTOCOL or COL_INFO data Peter Wu (Sep 16)
- Re: causes for losing COL_PROTOCOL or COL_INFO data Michael Mann via Wireshark-dev (Sep 16)
- <Possible follow-ups>
- Re: causes for losing COL_PROTOCOL or COL_INFO data John Dill (Sep 18)
- Re: causes for losing COL_PROTOCOL or COL_INFO data Jaap Keuter (Sep 18)
- Re: causes for losing COL_PROTOCOL or COL_INFO data John Dill (Sep 19)