Ask Your Question

How do I clean up dissect values

asked 2021-04-21 23:09:25 +0000 gravatar image

I have a custom dissect that I have stored values from the capture that are only valid for that capture. So, how do you clean up(reset) all that values stored on close of capture, start of new capture, or opening another capture?

is there a routine that I can register so that when the user closes a capture, starts a new capture or opens a different capture that the all the stored values can be cleared.

edit retag flag offensive close merge delete


Are we talking about storing values in memory? If so, have you had a look at ? Especially the wmem_file_scope() pool.

Uli gravatar imageUli ( 2021-04-22 06:27:42 +0000 )edit

Kind of. Wireshark has built-in two types of delta times, one the delta between consecutive line items and then the other is the delta time between two consecutive displayed line items. Both of which are determined from the timestamp that wireshark places on the received item. The payload of my dissected item contains a timestamp of when the payload was generated. To then determine the delta time of the generated item I need to store the payload timestamps for each line, additionally I need to store the sequence for each type of payload so that I can reference the previous item's entry. Now that part is easy, however I now want to open/start a new capture and all the stored references are still known. So when the capture is closed, opening a new capture, or starting a new capture I need to clear all the previously recorded entries ...(more) gravatar ( 2021-04-22 15:23:07 +0000 )edit

When creating a custom dissector an entry point must be registered, is there also an associated clean-up method for when the capture is closed? gravatar ( 2021-04-22 15:26:34 +0000 )edit

I'm not sure this is the correct approach, this sounds more like conversation data for your dissector. See the section on conversations in doc/README.dissector.

grahamb gravatar imagegrahamb ( 2021-04-22 19:59:21 +0000 )edit

After reading through the doc/README.dissector, it appears that while what am trying to accomplish is technically a conversation the methods used are for values found in the network stack and not within the payload of the data. All of the data that is being tracked, except port, is found in the payload. Such as is this packet a transmitted or received message, what type of decoding will be needed, is it a heartbeat, etc.... Then the internal timestamp of the message, and specific message types found after dissect. None of that information is known in pinfo, the timestamp that is returned by a conversation appear to be from when wireshark received the packet and not when was the packet generated.

Or am I missing something? Such as, each of these items that are keys to the computing of value are stored as fields during the tvb dissect. So ...(more) gravatar ( 2021-04-23 17:50:02 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2021-04-22 18:44:40 +0000 gravatar image

register_cleanup_routine(func) appears to be the method. I am coding it up to validate.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-04-21 23:09:25 +0000

Seen: 215 times

Last updated: Apr 22 '21