This is our old Q&A Site. Please post any new questions and answers at


I'm working on a dissector plugin for a proprietary protocol that runs on top of Ethernet with LLC frames. My dissector is working fine, but I'm having a problem with the LLC frame when running TFTP over my protocol:

Both the LLC dissector and the TFTP dissector create a "data" node for their payload, and both nodes have the same attributes "len" and "data". In this setup, I can't figure out how to filter explicitly on the length of just one of the two payloads (e.g. all packets with a TFTP data length of 445, but not those with LLC data length of 445 and smaller TFTP length).

How can I uniquely address either of these nodes despite them using the same name?

Or, if that's not possible, can I somehow resolve the name clash using my custom protocol dissector that sits between the LLC and TFTP layer?

asked 09 Dec '16, 06:45

creckord's gravatar image

accept rate: 0%

The LLC dissector only creates a "data" node if its payload isn't dissected. However, if your dissector runs on top of LLC, presumably the LLC dissector is calling your dissector to dissect the payload, so there shouldn't be a "data" node.

Does your protocol have a particular DSAP assigned to it, or does it run on top of SNAP?

(10 Dec '16, 14:35) Guy Harris ♦♦
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 09 Dec '16, 06:45

question was seen: 838 times

last updated: 10 Dec '16, 14:35

p​o​w​e​r​e​d by O​S​Q​A