Wireshark-dev: Re: [Wireshark-dev] Re : dissector_add(tcp.proto... / where to find parameter fo
On Apr 23, 2009, at 8:16 AM, yvanmmailbox-web@xxxxxxxx wrote:
I'm almost a beginner so maybe I'm wrong, but here is what I suppose:
udp.proto doesn't exists; if you want to dissect all frames that
contain udp protocol, you should use:
dissector_add("ip.proto", 0x11, red_handle)
but in this case you lose the UDP dissection (and your dissection
will be eth:ip:red) and maybe create conflict (I think it can works
if you disable the UDP protocol in WS).
The parameter you give in "dissector_add" should be an expression
associated with a hf_field in the lower dissector
No.
The parameter you give in dissector_add() should be the name of a
dissector table; the *ONLY* dissector table for UDP is named
"udp.port". (Giving dissector tables that correspond to a particular
protocol field the same name as the field was an obvious choice, but
it *can* confuse people into thinking you can use arbitrary fields in
dissector_add() calls.)
So, no, you can't use "udp.length" as a field name.
