What is a “capture dissector” and how is it different from a normal dissector?

Question

Hi, I was reading packet-udp.c and I encountered the following code that I do not understand

capture_dissector_handle_t udp_cap_handle;
dissector_add_uint("ip.proto", IP_PROTO_UDP, udp_handle);
dissector_add_uint("ip.proto", IP_PROTO_UDPLITE, udplite_handle);
udp_cap_handle = create_capture_dissector_handle(capture_udp, hfi_udp->id);
capture_dissector_add_uint("ip.proto", IP_PROTO_UDP, udp_cap_handle);
udp_cap_handle = create_capture_dissector_handle(capture_udp, hfi_udplite->id);
capture_dissector_add_uint("ip.proto", IP_PROTO_UDPLITE, udp_cap_handle);

The dissector_add_uint, as I understand, register the udp dissector in the sub-dissector table ip.proto However, I fail to understand what the capture_dissector_add_uint does. I read no information about “capture dissector” in README.dissector, and capture_dissector.h did not answer the question either.

Is it creating udp’s own sub-dissector table? if so, why is “ip.proto” in the argument field?

Could someone clear things up for me? Thank you very much!

Nick

Accepted Answer

This is part of a feature in the the GTK (so called legacy) interface which has not (yet?) been implemented in the Qt interface. While doing a capture you can choose to have the packet list updated in real time or not, and you can choose to have a capture info dialog presented or not. To update the capture info dialog the incoming packets need to be dissected at a very high level. This is performed by these so called capture dissectors. Through this dialog you can see that the packet types which you expect are coming in, while not burdening the capture platform with detailed packet dissection, which may prove too time consuming for the rate of incoming packets.

Answer 2

These came in via change 12607. It appears their purpose is lightweight dissection for statistics purposes (look at the packet-ethertype.c capture dissector for an example).