This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What is a “capture dissector” and how is it different from a normal dissector?

0

Hi, I was reading packet-udp.c and I encountered the following code that I do not understand

capture_dissector_handle_t udp_cap_handle;

dissector_add_uint("ip.proto", IP_PROTO_UDP, udp_handle); dissector_add_uint("ip.proto", IP_PROTO_UDPLITE, udplite_handle);

udp_cap_handle = create_capture_dissector_handle(capture_udp, hfi_udp->id); capture_dissector_add_uint("ip.proto", IP_PROTO_UDP, udp_cap_handle); udp_cap_handle = create_capture_dissector_handle(capture_udp, hfi_udplite->id); capture_dissector_add_uint("ip.proto", IP_PROTO_UDPLITE, udp_cap_handle);

The dissector_add_uint, as I understand, register the udp dissector in the sub-dissector table ip.proto However, I fail to understand what the capture_dissector_add_uint does. I read no information about “capture dissector” in README.dissector, and capture_dissector.h did not answer the question either.

Is it creating udp’s own sub-dissector table? if so, why is “ip.proto” in the argument field?

Could someone clear things up for me? Thank you very much!

Nick

asked 13 Jul ‘17, 17:57

nickzhang's gravatar image

nickzhang
16448
accept rate: 0%


2 Answers:

0

This is part of a feature in the the GTK (so called legacy) interface which has not (yet?) been implemented in the Qt interface. While doing a capture you can choose to have the packet list updated in real time or not, and you can choose to have a capture info dialog presented or not. To update the capture info dialog the incoming packets need to be dissected at a very high level. This is performed by these so called capture dissectors. Through this dialog you can see that the packet types which you expect are coming in, while not burdening the capture platform with detailed packet dissection, which may prove too time consuming for the rate of incoming packets.

answered 14 Jul '17, 09:53

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

edited 16 Jul '17, 08:51

sindy's gravatar image

sindy
6.0k4851

Thank you, this answers my question clearly.

(15 Jul '17, 19:34) nickzhang

0

These came in via change 12607. It appears their purpose is lightweight dissection for statistics purposes (look at the packet-ethertype.c capture dissector for an example).

answered 14 Jul '17, 06:58

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Thank you for the helpful information.

(15 Jul '17, 19:35) nickzhang