[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-dev
Subject: [Wireshark-dev] Tshark: proto_tree not created on first pass - Tap not the answer
From: Paul Offord <Paul.Offord () advance7 ! com>
Date: 2017-02-15 19:56:14
Message-ID: 69CB24EC39368E438FFE300C1813C50B01C33933 () ASLHQSBS ! aslhq ! local
[Download RAW message or body]
Although TRANSUM had a fake tap listener, it didn't include a packet callback pointer \
it was just set to NULL. I've added a dummy packet callback and discovered that the \
use of the tap mechanism isn't going to fix the Tshark issue.
When used with Wireshark, the packet callback gets called for every packet on the \
first pass and every packet on subsequent passes. That sounds good. When used with \
Tshark, the packet callback only gets called on the second pass (when using the -2 \
command line option).
-----Original Message-----
From: wireshark-dev-bounces@wireshark.org \
[mailto:wireshark-dev-bounces@wireshark.org] On Behalf Of Guy Harris
Sent: 13 February 2017 03:55
To: Developer support list for Wireshark <wireshark-dev@wireshark.org>
Subject: Re: [Wireshark-dev] Tshark: proto_tree not created on first pass with tap \
defined
The underlying problem here appears to be that the TRANSUM post-dissector is not only \
adding stuff to the protocol tree, which obviously doesn't need to be done if there \
is no protocol tree, but is also doing *analysis* of the packet information.
The latter of those should *not* be done in a dissector - it should be done in a tap.
Unfortunately, *currently*, taps are run after all dissectors, including \
post-dissectors, are run, which might not work for this purpose. If so, what we \
probably would need here is to have a mechanism to allow taps to be run "early". For \
now, we could define "early" as "before the post-dissectors are run". \
___________________________________________________________________________ Sent via: \
Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe
______________________________________________________________________
This message contains confidential information and is intended only for the \
individual named. If you are not the named addressee you should not disseminate, \
distribute or copy this e-mail. Please notify the sender immediately by e-mail if you \
have received this e-mail by mistake and delete this e-mail from your system.
Any views or opinions expressed are solely those of the author and do not necessarily \
represent those of Advance Seven Ltd. E-mail transmission cannot be guaranteed to be \
secure or error-free as information could be intercepted, corrupted, lost, destroyed, \
arrive late or incomplete, or contain viruses. The sender therefore does not accept \
liability for any errors or omissions in the contents of this message, which arise as \
a result of e-mail transmission.
Advance Seven Ltd. Registered in England & Wales numbered 2373877 at Endeavour House, \
Coopers End Lane, Stansted, Essex CM24 1SJ
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic