Wireshark · Ethereal-dev: Re: [Ethereal-dev] first packet in capture is dissected three times

Ethereal-dev: Re: [Ethereal-dev] first packet in capture is dissected three times

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Thu, 20 Jun 2002 14:24:15 -0700

On Thu, Jun 20, 2002 at 12:58:29PM -0400, Joe Litman wrote:
> I have a small capture file that contains 10 RTP packets. I noticed that
> when I load the file (ethereal 0.9.1 on W2K server), the first packet is
> passed to dissect_rtp three times. The first time the packet is passed to
> dissect_rtp, tree is NULL. The second and third times, tree has a valid
> value. All other packets in the capture are passed to dissect_rtp only once
> and tree is NULL. 
> 
> This does not effect the display of the file but I was wondering if this
> behavior is intentional and if so why.

The fact that it gets called multiple times appears to be a consequence
of the way GTK+ works.  When Ethereal reads the capture file, it
dissects every single frame, in sequential order, as

	1) it needs to do so in order to get the values to put in the
	   columns for that field in its row in the packet list pane
	   (first pane);

	2) it needs to allow the dissector to build any internal state
	   it'd need to

		dissect that frame later if you click on it;

		dissect subsequent frames whose complete and correct
		interpretation would depend on the contents of previous
		frames (e.g., a request/response protocol where the
		response cannot be interpreted without knowing what the
		request was - ONC RPC-based and DCE RPC-based protocols
		require this, for example).

However, it does not need to build the full protocol tree for packets on
that pass, so it passes a NULL tree value.  That prevents the
dissectors from building the protocol tree, which means they spend less
CPU time dissecting.

However, when the first item is added to a GtkClist (the widget used to
implement the packet list pane, GTK+ appears to select that item and
deliver a "this item was selected" for that item.  Ethereal responds to
that item by dissecting the frame, constructing its protocol tree, and
displaying that protocol tree in the protocol tree pane (second pane). 
That accounts for the second call to the dissector.

I'd have to look at the code to see why there's a third call, but I
think Ethereal might also explicitly select the first frame (it might
not be assuming that GTK+ will do so), provoking another dissection and
display.

Note that no dissector can *ever* assume it will be called only once,
nor can it ever assume that it will only be called on the Nth frame
immediately after it's been called on frames 1 through N-1.

References:
- [Ethereal-dev] first packet in capture is dissected three times
  - From: Joe Litman

Prev by Date: Re: [Ethereal-dev] OBJEXT/EXEEXT not being defined in configure for ethereal
Next by Date: Re: [Ethereal-dev] Re: [Ethereal-users] New User - How do I cpature/save Cisco Debugs For Analysis (forw)
Previous by thread: [Ethereal-dev] first packet in capture is dissected three times
Next by thread: [Ethereal-dev] OBJEXT/EXEEXT not being defined in configure for ethereal
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$