I am now reading source code of wireshark and have leaned much from it. Thank you for all developers. But I am confused about "epan_dissect_run" function. When we get a packet from the capture file, we used "read_packet" function to read and dissect the packet; In the "read_packet" we call the function named "epan_dissect_run" to dissect the packet;But I also find the "epan_dissect_run" function called in the callback fuction "show_cell_data_func"; My first question : why "epan_dissect_run" function is called two times? Second Question: I set a breakpoint at my dissector.Through the stack view by vs2005, I always find it Reaches the breakpoint just called by "show_cell_data_func", why not called by "read_packet"? asked 02 Apr '12, 20:45  taiyangluoyu edited 03 Apr '12, 08:14  Guy Harris ♦♦ |
One Answer:
First question:
Therefore, your dissector MUST be prepared to be called more than once. Second question: The dissector that calls your dissector might be buggy and not always calling subdissectors such as yours. How are you registering your dissector to be called? answered 03 Apr '12, 08:13 Guy Harris ♦♦ |
I changed the source ip address value in dissect_ip() while debugging ,during first epan_dissect_run .
When i hit second break point i could see this time when i apply filter the epan_dissect_run() is called but the data which is kept is last iteration itself is used, Why does it decode it again if every thing he is going to consumed from last pass .?