Ask Your Question
0

wireshark dissect message again when I click the message

asked 2020-10-30 05:29:58 +0000

taotiemuren gravatar image

updated 2020-10-30 06:12:44 +0000

When I load a pcap file in wireshark, it will dissect messages one by one and show in GUI. But if I click one message in UI, wireshark will dissect it again. How to stop dissectting in the second time when I click message.

My scenario as below: dissect one message called message_type_A and store some information to variable "a" from this message, then in following messages if it is message_type_B, it will select different dissector for one segment in message_type_B according to the value in "a" then clean variable "a".

So after loading pcap file, it shows normal as it will dissect messages one by one. but when I click message_type_B in UI, it will dissect it again and as variable "a" is empty now, the segment in message_type_B will be not dissected again.

If I can stop the second dissectting, in my view, it will shows as expect. How to stop the second dissecting?

Thanks for your help in advance.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2020-10-30 06:46:48 +0000

Guy Harris gravatar image

How to stop dissectting in the second time when I click message.

You can't. That's not a bug, that's a feature. To save memory (and it's a lot of memory being saved!), we do not save the results of dissecting packets - we regenerate them, by re-dissecting, when necessary.

My scenario as below: dissect one message called message_type_A and store some information to variable "a" from this message, then in following messages if it is message_type_B, it will select different dissector for one segment in message_type_B according to the value in "a" then clean variable "a".

Presumably there's some way in which you can determine that the messages are part of the same conversation; they might, for example, be part of the same TCP connection, if your protocol runs on top of TCP or on top of something that runs on top of something that runs on top of TCP, etc..

What you should do is, the first time the message of type message_type_A is dissected (i.e., when pinfo->fd->visited is false), store the information in information in data associated withe the conversation, rather than in a local variable, and ALSO use p_add_proto_data(), as per section 2.5 "Per-packet information" in the doc/README.dissector file in the Wireshark source code, to store the type message_type_A as the type of the message. Then, when you dissect the message of type message_type_B, fetch the information and, as it says the previous message was of type message_type_A, dissect its as being of type message_type_B AND use p_add_proto_data() to store the type message_type_B as the type of that message.

Then, all other times that the message is dissected (i.e.. when pinfo->fd->visited is true), use p_get_proto_data() to get the message type.

edit flag offensive delete link more

Comments

Thanks, it works as your advice.

taotiemuren gravatar imagetaotiemuren ( 2020-11-02 10:18:41 +0000 )edit
0

answered 2020-10-30 06:55:54 +0000

Jaap gravatar image

That second dissecting will happen, and a third, and fourth time, etc. This is integral to the design of Wireshark and Tshark. Lots has been written about it, in short it comes down to having a 'quick' sequential run through the packets first, then dissecting the relevant packets again to get tree items, either to show on the GUI (Wireshark), apply filters, apply colours, show in text output (tshark -2), etc.

So your dissector has to be designed to handle packets individually. It can take advantage of the first sequential run through the packets to collect and store data related to the connection, to be used with other packets in the connection. Look for conversation in the various README files, and have a look at request and response tracking also.

edit flag offensive delete link more

Comments

Thanks for your explanation.

taotiemuren gravatar imagetaotiemuren ( 2020-11-02 10:19:32 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-10-30 05:29:58 +0000

Seen: 335 times

Last updated: Oct 30 '20