This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

According to the WSDG, proto_tree *tree params can be NULL when "asked for a summary of a packet instead of the details". How should I decide whether something is a detail? Where is this difference exactly visible?

In the example, the column data seems to be the summary while the filterable protocol tree are the details. Wouldn't skipping proto_tree_add_item() make all fields unfilterable?

asked 10 Jul '14, 14:49

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

edited 10 Jul '14, 14:50


Basically if(tree) can be used to make the first pass faster (when all packets are read in sequence) by omitting puting details in the tree which will not be vissible in the GUI/Tshark output any way. Writing to columns and calling of subdissectors must be done outside of if(tree) to ensure it allways hapens as would reassembly.

If dissection is run with filter tree is not NULL, as you noted filtering wouldn't work otherwise.

A simple dissector would just put the proto name in the tree and write to the proto and info columns outside of if(tree).

permanent link

answered 11 Jul '14, 00:52

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

Note that expert info and call to subdissectors should not be inside a if(tree) statement.

(11 Jul '14, 02:03) Pascal Quantin
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×6
×5

question asked: 10 Jul '14, 14:49

question was seen: 1,078 times

last updated: 11 Jul '14, 02:03

p​o​w​e​r​e​d by O​S​Q​A