Jacques, Olivier (OCBU-Test Infra) wrote:
Hello,
I wrote a new dissector and I have an issue with the col_clear and
col_append_fstr.
Several messages of this protocol (on top of TCP or UDP or TPKT), can be
in one IP packet.
For example a packet can look like this:
Frame 43 (520 bytes on wire, 520 bytes captured)
Ethernet II, Src: 00:00:00:00:00:00 (00:00:00:00:00:00), Dst:
00:00:00:00:00:00 (00:00:00:00:00:00)
Internet Protocol, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1
(127.0.0.1)
Transmission Control Protocol, Src Port: 3868 (3868), Dst Port: 34254
(34254), Seq: 2500, Ack: 8826, Len: 454
MBI Protocol (AuthorizeConf)
MBI Protocol (AuthorizeConf)
MBI Protocol (AuthorizeConf)
MBI Protocol (AuthorizeConf)
MBI Protocol (AuthorizeConf)
MBI Protocol (AuthorizeConf)
MBI Protocol (EndAck)
MBI Protocol (EndAck)
What I would like to do is to set the COL_INFO column to:
"AuthorizeConf, AuthorizeConf, AuthorizeConf, AuthorizeConf,
AuthorizeConf, AuthorizeConf, EndAck, EndAck" (listing all the messages
in COL_INFO). So I tried to use col_append_fstr.
But I don't know where to put the col_clear. If I put it in the routine
set in "create_dissector_handle", that is, as soon as I can, the
COL_INFO column gets cleared for every protocol message and I only get
the last message (EndAck) in this case displayed.
If I don't use col_clear, using col_append_fstr keeps the info from TCP
and the COL_INFO column doesn't contain what I would like.
Any suggestion?
I had the same problem with the DCE/RPC dissector.
Fortunately, the DCE/RPC dissector keeps it's private field in
pinfo->dcectxid which is zero if the DCE/RPC dissector is called the
first time for this packet and nonzero otherwise.
This way I could find the first block.
I don't know if it's the recommended solution, but you could add a field
to pinfo which starts with zero and counts the appearances of your blocks.
Regards, ULFL
