I have a large TCP message that is captured by Wireshark as a sequence of packets. The message is composed of a header with parameter data followed by an image. Wireshark does not apply my dissector to the message. I would like Wireshark to apply the dissector to the first packet or two so that I can see the data in the header. I'm not concerned about the image. I've done a lot of searches and looked for an option in the menus, but haven't been able to find anything that helps. Thanks for any help you can give me! asked 12 May '15, 06:38  Vince showing 5 of 7 show 2 more comments |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
How is your dissector implemented, C, Lua or something else.
What version of wireshark, and what OS.
Does your dissector ever get called?
I am using C, Wireshark 1.10.7 on Windows 7. My dissector does not get called even though the message appears to have the correct ID.
So is your dissector registered for a particular port, or is it just heuristic?
Why such an old version of Wireshark?
What do you mean by "the message appears to have the correct ID"?
My dissector is registered. I am seeing a number of other messages from the same device.
My project started using Wireshark a while back and doesn't want to change now.
The messages from my device all have an ID that I use to dissect different message types. So, the header of the message appears to be correct. Wireshark just won't operate on the first packet in the sequence.
So you can dissect some messages?
I would save a capture with both good and bad messages, and then run Wireshark with a debugger loading the saved file and see what's happening with your dissector.
Either Wireshark isn't calling your dissector, or your dissector is failing to dissect the message.
I have a capture with both good and bad messages. It dissects all other messages fine, just has a problem with the long ones. Wireshark is not calling my dissector.
Are you sure it's not calling your dissector, e.g. by using a debugger or printing something out to the console, or are you just assuming?