I'm writing a dissector (wireshark-v1.99.9) for a custom protocol with the following structure:
That means each pdu has excatly one instruction and an variable amount of parameters. At the details pane the protocol should be display like that:
The field/node parameters should contain an FT_UINT8 so the user can search for packets with certain amount of parameters (n). Therefore at the time parameters is constructed I don't know n. To work around this issue I could first dissect the pdu and determine n and afterwards dissect a second time to construct the proto_tree. But performance-wise this is not a good solution.
I would rather init parameters with 0, dissect the pdu and finalize n after I'm done. I checked epan/proto.h&.c and README.dissector for methods I could use.
I'm not that experienced as a programmer and a wireshark newbie, therefore my questions:
Thanks in advance!
asked 18 Sep '15, 04:13
edited 18 Sep '15, 04:27
I'm not certain I follow your protocol definition, but I think you're saying it's one of those awkward protocols that doesn't have a length or count in the "header", and then repeated "parameter" records.
If that's the case, then I would add the instruction field, keeping the return value (a
answered 18 Sep '15, 05:19