This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

When can the proto_tree *tree item be NULL?

0

According to the WSDG, proto_tree *tree params can be NULL when "asked for a summary of a packet instead of the details". How should I decide whether something is a detail? Where is this difference exactly visible?

In the example, the column data seems to be the summary while the filterable protocol tree are the details. Wouldn't skipping proto_tree_add_item() make all fields unfilterable?

asked 10 Jul '14, 14:49

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

edited 10 Jul '14, 14:50


One Answer:

2

Basically if(tree) can be used to make the first pass faster (when all packets are read in sequence) by omitting puting details in the tree which will not be vissible in the GUI/Tshark output any way. Writing to columns and calling of subdissectors must be done outside of if(tree) to ensure it allways hapens as would reassembly.

If dissection is run with filter tree is not NULL, as you noted filtering wouldn't work otherwise.

A simple dissector would just put the proto name in the tree and write to the proto and info columns outside of if(tree).

answered 11 Jul '14, 00:52

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

Note that expert info and call to subdissectors should not be inside a if(tree) statement.

(11 Jul '14, 02:03) Pascal Quantin