Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

That second dissecting will happen, and a third, and fourth time, etc. This is integral to the design of Wireshark and Tshark. Lots has been written about it, in short it comes down to having a 'quick' sequential run through the packets first, then dissecting the relevant packets again to get tree items, either to show on the GUI (Wireshark), apply filters, apply colours, show in text output (tshark -2), etc.

So your dissector has to be designed to handle packets individually. It can take advantage of the first sequential run through the packets to collect and store data related to the connection, to be used with other packets in the connection. Look for conversation in the various README files, and have a look at request and response tracking also.