 | 1 | initial version |
Is there any difference ...
Yes
Wireshark dissects packets in what it calls 'two-pass' dissection.
If you add -2 to the tshark command line and a print(pinfo.visited) to the T_gre_proto.dissector you will see that tshark can be a multi pass dissector also.
In addition to the WSDG description above about two-pass, see:
What's the difference between a dissector, post-dissector and tap?
There is an example in A post-dissector example using pinfo.visited to only process on the first pass through.
log("Visited: " .. tostring(pinfo.visited))
if not pinfo.visited then
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.