First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How often will a dissector be started at loading a pcap-file?

  • retag add tags

Hey, I'm writing a lua dissector for UDP traffic. When I load a pcap file, the dissector is started 3 times for every packet and every time I select a packet the dissector is started for this one.

Running the dissector when you select a packet makes sense to me to save memory and not save all information all the time. But why Wireshark starts the dissector 3 times after loading the pcap file?

kinpin1988's avatar
3
kinpin1988
asked 2020-08-12 13:21:16 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Is your dissector's protocol in the first packet of the capture file?

Normally all dissectors are called twice at capture load, so that forward references etc. can be fixed up and then a dissector is subsequently called when a packet containing the dissectors protocol is displayed in the packet details by selecting a packet in the packet list.

grahamb's avatar
23.8k
grahamb
answered 2020-08-12 13:55:30 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks, that helps me. Yes the dissector's protocol is in the first packet. I use a pcap with only 12 packets of the specific protocol inside to test the dissector. If wireshark always runs twice in the order of entry, I can use it for my project. I wonder why it makes the third run. I tried several times to load the file. Some times wireshark made the third run only at some packets. But that isn't an issue for me.

kinpin1988's avatar kinpin1988 (2020-08-13 07:23:46 +0000) edit
more
  • delete

Note the other part of my answer:

a dissector is subsequently called when a packet containing the dissectors protocol is displayed in the packet details by selecting a packet in the packet list.

As the first packet in the list is automatically selected after capture file load, any dissector for protocols in the first packet will be called again. And selecting any other packet at any time will run all dissectors for that packet.

grahamb's avatar grahamb (2020-08-13 08:02:57 +0000) edit
more
  • delete

I tried it on my private Mac. There it only runs twice for every packet and if I select one, like you described.

I printed out for every packet this way: function pBap_protocol.dissector(buffer, pinfo, tree) print("pinfo.number:" .. pinfo.number) ...

On my working laptop it runs three times at loading and if I select a packet. Don't know why. May be it's an older version on my working laptop. But that doesn't bother me.

kinpin1988's avatar kinpin1988 (2020-08-13 16:15:28 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer