Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

What's the difference between a dissector, post-dissector and tap?

I'm trying to write a Lua plugin for a simple UDP protocol that contains a rolling byte for packet sequencing.

I've written a working dissector that extracts this rolling byte (and other information), however I now am looking for a way to indicate missing packets by looking for gaps in the rolling byte (e.g. consecutive packets containing "00, 01, 03"). I'd hope to display these in a similar way to how Wireshark displays retransmissions - a big, bold, colour variation for the "03" packet indicating that it follows a break in the stream.

I've tried to do this using a global Lua table within the dissector, but the dissector appears not to be evaluated sequentially (or perhaps multiple times). Other Q&A's on other forums have suggested a "Tap" may be more appropriate to achieve this, but I can't find any good resource that outlines what the difference between a dissector, post-dissector and tap actually is!

So - what's the difference?