OSQA is unmaintained. Help us figure out where to go from here.

I've written a dissector that takes various UDP ports and dissects their packets. Now I'm writting a subdissector that my dissector calls based on an id value that it decodes. I have the subdissector registering for a range of ids (ex 600-700), however, I'm not sure of the best way to pass that id value to the subdissector. Any suggestions?

Additional information: I parse about 4 different items in the dissector before I pass to the sub. if the id was last I would just move my offset back when I make this call

next_tvb = tvb_new_subset_remaining(tvb, offset);

however the id is the first of the 4 values and I don't want the subdissector to have to grab the id and then cleanup the other values on its own. I'm looking for a cleaner way to do this.

A similar but related problem would be how my top dissector could figure out which of the several udp ports it's registered for was actually the reason it was called.

asked 26 Jan '12, 11:26

simply_blue's gravatar image

accept rate: 100%

edited 26 Jan '12, 13:19

multipleinterfaces's gravatar image


I don't think conversations will help because I only want to pass this data per packet.

(26 Jan '12, 13:42) simply_blue

I think I have found a solution that will solve my problem.

A lot of grepping and a re-read of the README.developer led me to the private-data field of the packet-info struct. Since I already pass pinfo to the sub-dissector, this method should store my id value per packet. If I end up with more arguments that I want to keep with the packet I'll just define my own struct in a header and include it in the dissector and sub-dissector and cast the void pointer properly on either side.

The code builds but I haven't had a chance to test it yet.


answered 26 Jan '12, 13:46

simply_blue's gravatar image

accept rate: 100%

edited 26 Jan '12, 13:47

I found it here https://www.wireshark.org/lists/wireshark-dev/200911/msg00203.html

newtvb = tvbuffer(50):tvb()
next_dissector:call( newtvb, pinfo, treeitem )

Sorry, It is not an answer to your question. This lua snippet describes sub-dissector calling.


answered 18 Nov '14, 03:25

hexum's gravatar image

accept rate: 0%

edited 18 Nov '14, 03:29

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 26 Jan '12, 11:26

Seen: 3,445 times

Last updated: 18 Nov '14, 03:29

p​o​w​e​r​e​d by O​S​Q​A