Why aren't my expert-infos filterable?

Question

I have a plugin dissector which may attach expert info to a packet as shown below:

if(EXPERT_CONDITION(p_item))
{
    expert_add_info_format(pinfo, p_item, PI_PROTOCOL, PI_WARN, "expert warning");
}

Here, EXPERT_CONDITION is a macro that examines the data in p_item (equivalent to the code given in my answer here). I have captures where this expert info is visible in the tree, but no other expert info is present in the packet. In these captures, if I put expert in the filter pane, these marked packets do not show up. If I look in the Expert Infos dialog, I see Warnings: 0 (0).

Because of this I can't filter on packets in my protocol with an expert info that is specific to my protocol. How can I change my code so that the expert-info marked packets of my protocol are correctly filterable?

Accepted Answer

2

Are you calling expert_add_info_format() from within an if (tree) {} block, perhaps? This needs to be called whether the tree is NULL or not. The README.developer document doesn't explicitly mention the expert infos, but the following excerpt does apply to expert infos as well:

   Note, however, that you must fill in column information, create
   conversations, reassemble packets, build any other persistent state
   needed for dissection, and call subdissectors regardless of whether
   "tree" is NULL or not.

permanent link

answered 13 Jan '12, 17:18

cmaynard ♦♦
9.4k●10●38●142
accept rate: 20%

This is the problem. I checked by rearranging a small portion of my dissector so the expert logic for one specific case would be run regardless of the tree. As expected, the filter expert correctly displays those packets, but still misses other marked packets that depend on tree.

(17 Jan '12, 08:32) multipleinte...

Why aren't my expert-infos filterable?

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions