I know that dissectors only work on the current packet, but is there a way to access previous or future frames from the current frame in a dissector? I am trying to display a calculated checksum in the initial frame after the whole fragmented message has been reassembled. asked 08 Jun '17, 10:49  jpetersen |
One Answer:
Yes, this is possible taking into account how Wireshark is processing your capture file. First it reads it sequentially and then uses additional, random access reads to get details. You can make use of that, eg. for request and response tracking. This is described in Mind you this depends on 2-pass analysis of the capture file, so it using tshark you'll have to give the answered 08 Jun '17, 14:36  Jaap ♦ Thank you for your reply, I have been looking into request_response_tracking and it has been helpful. (09 Jun '17, 08:47) jpetersen |
Shouldn't you be doing that in the last frame together with the Reassembled data?
I would like to display it in the initial fragment as well because that has all of the other information from the message in it.
I want to display all the information with the validated checksum so either add the calculated checksum to a previous frame, or add all the information from the initial fragment to the future frame where the checksum is calculated.