This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I recognize a package that has already passed the dissect function once in my plugin?

0

I am developing a plugin for Wireshark and I have some problems with the multiple passes of the dissect function (dissect_myprotocol) for the same package. I need to know if it is the first time a specific package passes this function. I only want to add some functionality if it is, otherwise I do not want to do anything. How can I be able to tell if it is the first pass or not?

The amount of captured packages will be very large so it will be difficult to store some well chosen data from all passes and compare them to be able to tell if it is a new pass of a specific package or not.

asked 03 Aug '15, 07:39

Sof's gravatar image

Sof
16225
accept rate: 0%

I might have been a little bit unclear. Maybe I can explain my problem better.

My problem is that I have a sequence counter for different subtypes of data packages that I want to check if they count up correctly. I store the old value of the sequence counter for every subtype and compare that value with the value of the next package of the same subtype that arrives, after that I update the stored value of the sequence counter. For this I need to know the first time the dissect function is called for a specific package or recognize that specific package next time it passes. I have problems with the multiple passes in a way that the program does not recognize packages that have already passed once, and therefore gives results from the comparison that says that the count up does not work correctly even if it should say that it does. If I have understood my problem correctly I would say that my program thinks that the same package is different ones if it passes several times through the dissect function.

I do all my implementation of the sequence counter check in the dissect function (dissect_myprotocol).

How can I recognize packages that have already passed once or know when the first pass is made for every package to be able to ignore the following passes? I do only want to do the sequence counter check once for every captured package.

(04 Aug '15, 00:50) Sof

The answer of @grahamb is still correct. When 'visited' is 1 your dissector has already seen this packet. The sequence counter you want to check, which has to be passed from one packet dissection to the next, should be added as conversation data. Go read README.dissector on how to use the conversation mechanism.

(04 Aug '15, 02:42) Jaap ♦

Or perhaps you should use p_set_proto_data(), p_get_proto_data() to store the information on the first pass and retreive the result on subsequent passes.

(04 Aug '15, 04:48) Anders ♦

One Answer:

2

pinfo->fd->flags.visited will be 0 the first time your dissector is called for a frame. There is a macro to help with such checks; PINFO_FD_VISITED(pinfo)

answered 03 Aug '15, 07:53

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%