[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-dev
Subject: Re: [Wireshark-dev] Lua script reads every packet twice
From: Jerry White <jerrywhite518 () gmail ! com>
Date: 2019-06-05 22:25:28
Message-ID: CAN_EBzpL+wa+neL95F-zTwQPGmVZUWQ6a7kNBRicrMjCijUDAA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Guy and Pascal,
Thanks very much!
Jerry
On Wed, Jun 5, 2019 at 12:52 PM Guy Harris <guy@alum.mit.edu> wrote:
> On Jun 5, 2019, at 12:34 PM, Jerry White <jerrywhite518@gmail.com> wrote:
>
> > Please forgive for such a basic question. I noticed that my lua
> dissector processes a trace file twice.
>
> *Wireshark* can process packets more than once; we will never guarantee
> that a dissector will see a packet only once.
>
> Even *TShark* can do so if run with the -2 flag.
>
> So you will need to make sure your dissector can handle this.
>
> > To isolate the issue I have removed nearly all my business code
>
> A dissector should
>
> 1) set columns for the packet as appropriate;
>
> 2) build a protocol tree of fields in the packet;
>
> 3) build, on the first pass, any data structures needed when
> redissecting - on the first pass, packets are processed in order, but
> packets may be handed to the dissector in random order after that, so if
> the dissection of packet N depends on the contents of packet M, for M < N,
> you'll need to remember whatever information allows you to dissect packet N
> in the future, even if packet M isn't dissected again first.
>
> It should *not* report any statistics or other analysis information. It
> may calculate and save that information, on the first pass, but it
> shouldn't report it; reporting that information should be done by taps - see
>
>
> https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=doc/README.tapping;hb=HEAD
>
> (or the doc/README.tapping file in the source tree)
>
> If your dissector needs to do something only on the first pass, it needs
> to check the packet's "visited" flag; see
>
>
> https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Pinfo.html#lua_class_Pinfo
>
> for information on how to do that from Lua code.
>
> So if your business code is doing any reporting of statistics, or other
> information that's not in the "a dissector should" list above, it needs to
> be done outside the dissector.
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
> Archives: https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@wireshark.org
> ?subject=unsubscribe
[Attachment #5 (text/html)]
<div dir="ltr"><div class="gmail_default" \
style="font-family:arial,helvetica,sans-serif;font-size:small">Guy and \
Pascal,</div><div class="gmail_default" \
style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div><div \
class="gmail_default" \
style="font-family:arial,helvetica,sans-serif;font-size:small">Thanks very much! \
</div><div class="gmail_default" \
style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div><div \
class="gmail_default" \
style="font-family:arial,helvetica,sans-serif;font-size:small">Jerry</div><div \
class="gmail_default" \
style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jun 5, 2019 at 12:52 PM \
Guy Harris <<a href="mailto:guy@alum.mit.edu">guy@alum.mit.edu</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Jun 5, 2019, at \
12:34 PM, Jerry White <<a href="mailto:jerrywhite518@gmail.com" \
target="_blank">jerrywhite518@gmail.com</a>> wrote:<br> <br>
> Please forgive for such a basic question. I noticed that my lua dissector \
processes a trace file twice.<br> <br>
*Wireshark* can process packets more than once; we will never guarantee that a \
dissector will see a packet only once.<br> <br>
Even *TShark* can do so if run with the -2 flag.<br>
<br>
So you will need to make sure your dissector can handle this.<br>
<br>
> To isolate the issue I have removed nearly all my business code<br>
<br>
A dissector should<br>
<br>
1) set columns for the packet as appropriate;<br>
<br>
2) build a protocol tree of fields in the packet;<br>
<br>
3) build, on the first pass, any data structures needed when redissecting \
- on the first pass, packets are processed in order, but packets may be handed to the \
dissector in random order after that, so if the dissection of packet N depends on the \
contents of packet M, for M < N, you'll need to remember whatever information \
allows you to dissect packet N in the future, even if packet M isn't dissected \
again first.<br> <br>
It should *not* report any statistics or other analysis information. It may \
calculate and save that information, on the first pass, but it shouldn't report \
it; reporting that information should be done by taps - see<br> <br>
<a href="https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=doc/README.tapping;hb=HEAD" \
rel="noreferrer" target="_blank">https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=doc/README.tapping;hb=HEAD</a><br>
<br>
(or the doc/README.tapping file in the source tree)<br>
<br>
If your dissector needs to do something only on the first pass, it needs to check the \
packet's "visited" flag; see<br> <br>
<a href="https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Pinfo.html#lua_class_Pinfo" \
rel="noreferrer" target="_blank">https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Pinfo.html#lua_class_Pinfo</a><br>
<br>
for information on how to do that from Lua code.<br>
<br>
So if your business code is doing any reporting of statistics, or other information \
that's not in the "a dissector should" list above, it needs to be done \
outside the dissector.<br> \
___________________________________________________________________________<br> Sent \
via: Wireshark-dev mailing list <<a href="mailto:wireshark-dev@wireshark.org" \
target="_blank">wireshark-dev@wireshark.org</a>><br>
Archives: <a href="https://www.wireshark.org/lists/wireshark-dev" \
rel="noreferrer" target="_blank">https://www.wireshark.org/lists/wireshark-dev</a><br>
Unsubscribe: <a href="https://www.wireshark.org/mailman/options/wireshark-dev" \
rel="noreferrer" target="_blank">https://www.wireshark.org/mailman/options/wireshark-dev</a><br>
mailto:<a href="mailto:wireshark-dev-request@wireshark.org" \
target="_blank">wireshark-dev-request@wireshark.org</a>?subject=unsubscribe</blockquote></div>
[Attachment #6 (text/plain)]
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic