This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why aren’t my expert-infos filterable?

0

I have a plugin dissector which may attach expert info to a packet as shown below:

if(EXPERT_CONDITION(p_item))
{
    expert_add_info_format(pinfo, p_item, PI_PROTOCOL, PI_WARN, "expert warning");
}

Here, EXPERT_CONDITION is a macro that examines the data in p_item (equivalent to the code given in my answer here). I have captures where this expert info is visible in the tree, but no other expert info is present in the packet. In these captures, if I put expert in the filter pane, these marked packets do not show up. If I look in the Expert Infos dialog, I see Warnings: 0 (0).

Because of this I can't filter on packets in my protocol with an expert info that is specific to my protocol. How can I change my code so that the expert-info marked packets of my protocol are correctly filterable?

asked 13 Jan '12, 07:55

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%

One Answer:

2

Are you calling expert_add_info_format() from within an if (tree) {} block, perhaps? This needs to be called whether the tree is NULL or not. The README.developer document doesn't explicitly mention the expert infos, but the following excerpt does apply to expert infos as well:

   Note, however, that you must fill in column information, create
   conversations, reassemble packets, build any other persistent state
   needed for dissection, and call subdissectors regardless of whether
   "tree" is NULL or not.

answered 13 Jan '12, 17:18

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

This is the problem. I checked by rearranging a small portion of my dissector so the expert logic for one specific case would be run regardless of the tree. As expected, the filter expert correctly displays those packets, but still misses other marked packets that depend on tree.

(17 Jan '12, 08:32) multipleinte...