This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How many time does a saved pcap get analyzed automatically?

0
1

I have a small pcap with just one packet in it. I also have a Lua dissector that analyzes the protocol used in the packet. There is a line of debug info in the dissector. The debug info should only be output once if the packet is analyzed once.

To my surprise, when I click on the pcap in Wireshark, the debug info is output multiple times. In Mac it is output 18 times, and in Windows, it is output 3 times.

Why is this?

asked 01 Apr '14, 07:58

YXI's gravatar image

YXI
21182023
accept rate: 0%


One Answer:

0

First the entire file is read is read in sequence then packets are read "by the GUI" to display them. If a packet is "clicked" it will be re-read if the packet list is scrolled the packet the packets that becomes vissible will be re-read. Why the MAC (Qt?) version reads them 18 times I don't know.(There is a bug report about that.)

answered 01 Apr '14, 09:13

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

Why the MAC (Qt?) version reads them 18 times I don't know.

don't they claim to have the better (best) system? So, I guess they do everything better than windows, even analyzing a frame in Wireshark. And what is better than 3 times? Of course: 18 times ;-))

(02 Apr '14, 13:57) Kurt Knochner ♦

But it only takes the Mac the same time to analyze it 18 times, as it takes Windows to analyze it 3 times. ;)

(02 Apr '14, 14:11) Hadriel

dammit .....

(02 Apr '14, 14:17) Kurt Knochner ♦

What about Linux? I bet those smart guys can make in one shot and less than half the time, it takes to boil an egg in the center of the sun.

(02 Apr '14, 14:18) Kurt Knochner ♦