Ask Your Question
0

How often will a dissector be started at loading a pcap-file?

asked 2020-08-12 13:21:16 +0000

kinpin1988 gravatar image

Hey, I'm writing a lua dissector for UDP traffic. When I load a pcap file, the dissector is started 3 times for every packet and every time I select a packet the dissector is started for this one.

Running the dissector when you select a packet makes sense to me to save memory and not save all information all the time. But why Wireshark starts the dissector 3 times after loading the pcap file?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-08-12 13:55:30 +0000

grahamb gravatar image

Is your dissector's protocol in the first packet of the capture file?

Normally all dissectors are called twice at capture load, so that forward references etc. can be fixed up and then a dissector is subsequently called when a packet containing the dissectors protocol is displayed in the packet details by selecting a packet in the packet list.

edit flag offensive delete link more

Comments

Thanks, that helps me. Yes the dissector's protocol is in the first packet. I use a pcap with only 12 packets of the specific protocol inside to test the dissector. If wireshark always runs twice in the order of entry, I can use it for my project. I wonder why it makes the third run. I tried several times to load the file. Some times wireshark made the third run only at some packets. But that isn't an issue for me.

kinpin1988 gravatar imagekinpin1988 ( 2020-08-13 07:23:46 +0000 )edit

Note the other part of my answer:

a dissector is subsequently called when a packet containing the dissectors protocol is displayed in the packet details by selecting a packet in the packet list.

As the first packet in the list is automatically selected after capture file load, any dissector for protocols in the first packet will be called again. And selecting any other packet at any time will run all dissectors for that packet.

grahamb gravatar imagegrahamb ( 2020-08-13 08:02:57 +0000 )edit

I tried it on my private Mac. There it only runs twice for every packet and if I select one, like you described.

I printed out for every packet this way: function pBap_protocol.dissector(buffer, pinfo, tree) print("pinfo.number:" .. pinfo.number) ...

On my working laptop it runs three times at loading and if I select a packet. Don't know why. May be it's an older version on my working laptop. But that doesn't bother me.

kinpin1988 gravatar imagekinpin1988 ( 2020-08-13 16:15:28 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-08-12 13:21:16 +0000

Seen: 30 times

Last updated: Aug 12