Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Why is the dissector called multiple times?

Because Wireshark makes one pass over all the packets as it reads in the capture file - and then, if a packet's information becomes visible in the packet summary pane, or is selected so that its information is shown in the packet detail pane, the packet will be dissected again.

We don't keep the dissection around in memory; that would mean, for a large file, that we'd chew up even more memory than we do now. That would cause thrashing when handling that file.

You will have to make sure that any dissector you write, or change, can handle this.

On the other hand, I ran tshark with the same capture file, dissector_lldp is called one time.

That's because TShark only makes one pass over the file...

...unless you run it with the -2 flag, in which case it makes two passes over the file, and the dissector will be called twice.