> I'm writing a dissector, and I want to be able to reference other
> frames in the tree (request->response pairs e.g.). It looks fairly
> easy for the response to reference the request, but is it also
> possible for the request to reference the response?
"Reference" meaning "give the frame number of the other frame as one of
the fields", as ONC RPC has done for a while for responses referring to
requests, and as the current CVS version of SMB does for requests and
responses?
Yes, it's possible, but:
> Seems like all of the frames would need to be dissected twice,
...it *does* require that for requests to refer to responses.
> but I don't know if that happens by default.
In Tethereal, it won't happen; Tethereal is, by design, a one-pass
program.
It can happen in Ethereal. See below.
> Is there a way for a request to reference a response?
Yes.
> Do the frames get dissected more than once?
In Tethereal, no.
In Ethereal, the frames are all dissected once, in order, when the
capture file is read in.
They are dissected again if
you select the frame for display;
you do a print operation;
you do a display filter.
(They're also dissected if
a protocol preference is changed;
a protocol is enabled or disabled;
a "Decode As" is done;
but, in those cases, all dissector state information is reset before the
dissection, so it's just like the pass done when the capture file is
read in.)
This means that you can't, in a read filter, use a filter expression
that checks for a field that appears in requests and gives the frame
number of a response, as the read filter expression tests the protocol
tree from the very first dissection.
However, once you've read the file in, you can test it.
It also means that you can't put that information in the Info column of
the list of frames, as that column's text is set on the first pass.
If, however, you click on a frame containing a request, the protocol
tree it displays can show the frame number of the response.
