Dissector wont work after load of another pcap(malformed?) file
Hi wireshark community,
I am developing a custom dissector in C and it seemed to work very well. But lately I stumbled over some issues.
From the beginning: The purpose of the dissector is to identify TCP packets with xml strings in its payload. I know there is already an xml dissector but this thing only works for single TCP packets therefore only small XML strings. But I have XML strings which spread over more than one TCP packet an have to be concatenated for a proper XML dissection.
In the dissector I look for opening XML tags and get the name of the root tag of the xml-tree. Then I search for the closing XML tag of this specific root tag. If the tag is not present in the current packet I make use of the reassemble function of wireshark's TCP layer. So good, so fine.
Everything seems to work very well, corresponding tcp packets are correctly reassembled the xml string is forwarded to the meda_type application/xml dissector. An I have also added some dtds for my specific xml file to get a nice filtering opportunity in wireshark. Everything worked.
But now i have stumbled over some issues with this specific dissector. For instance: I open a previously recorded pcap file with a mix of different protocols. The xml packets are correctly dissected. Now I open a second file, which seems to be damaged or malformed for the dissection of the xml packets. Not a single packet is dissected as wanted anymore, even a newly "decode as" makes no difference. But the strangest thing is, if i close this second pcap file and open the first pcap which was dissected fine, now here is the same behaviour. Not a single packet is dissected with the protocol anymore.
I have the console opened and set the loglevel to 252. That was fine for development of the dissector. No error or something is shown in the console.
What could evoke such a strange behaviour? If the problem would restrict to the second pcap file I could understand that the file probably is defect.
Maybe someone has got similar problems and know the source of the issue. If it is useful I can post the code of the concerning dissector.
Thank you, and have a nice weekend!
I suspect you have some "global" or static state in your dissector which isn't being reset on the load of a new file.
This seems to make sense, but I don't know how to determine what I have to change. Is there any method which is called, when the pcap is loaded?
It may be that an XML is not closed properly so that the other packets are considered as part of the unclosed xml. I will check this by manipulation some xml packets so that the closing tag does not appear. Maybe this is the key...
Thanks for your answer