This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What is wrong with the following tcp postdissector registration?

0

My module is a postdissector for tcp packets that needs to be called sometime after the tcp dissector has done its bit. My proto_register_foo() and proto_reg_handoff_foo() functions are as given below:

void
proto_register_foo(void)

{
static hf_register_info hf[] = {
...
};
static gint *ett[] = { ...
};

proto_foo = proto_register_protocol("Foo Protocol",   
    "FOO", "foo");    
register_dissector("foo", dissect_foo, proto_foo);  
proto_register_field_array(proto_foo, hf, array_length(hf));  
proto_register_subtree_array(ett, array_length(ett));

}

void
proto_reg_handoff_tcp(void)
{
dissector_handle_t foo_handle;

tcp_orb_handle = find_dissector("foo");  
dissector_add_uint("ip.proto", IP_PROTO_TCP, foo_handle);  
register_postdissector(foo_handle);

}

The dissector is being called, but instead of being called at the end, it's being called before the tcp dissector. Worse, the tcp dissector is not being called at all! What mistake have I made here?

asked 05 Aug '12, 23:54

SidR's gravatar image

SidR
245121722
accept rate: 30%


One Answer:

1

You've registered the dissector as both a postdissector (register_postdissector()) and as a regular dissector taking all traffic on ip.proto==IP_PROTO_TCP. The latter means that your dissector is pre-empting the TCP dissector.

answered 06 Aug '12, 05:59

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Thank you Jeff. That seems to be the case here.

(06 Aug '12, 20:55) SidR