Wireshark-dev: Re: [Wireshark-dev] Failing to get my tree to show
From: Kaul <mykaul@xxxxxxxxx>
Date: Sat, 16 Jan 2010 20:39:53 +0200
On Sat, Jan 16, 2010 at 4:30 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
Nope.
Indeed. I cannot use either of the above mentioned methods.
Even if I'm not setting right away (others do it as well - I've taken it from packet-vnc.c), then it's even worse - all I see is the TCP.
Exactly. It's not that it's not dissected - all the right functions are called. But with tree = null, not much is seen.
I can see that TCP correctly shows the 3 segments in packet 6 (that it reassembled from packets 4,5,6).
From README.developer:
"Wireshark distinguishes between the 2 modes with the proto_tree pointer"
Again, I think my main issue is that my main dissector function is already called with a null tree. That makes everything afterwards pretty much fail to display.
I did notice it doesn't happen without the desegmentation stuff - so I'm pretty sure it's related to that. Just have no idea why.
Would posting the complete code help?
TIA,
Y.
Null even if you click on the packet?
On Jan 15, 2010, at 1:50 PM, Kaul wrote:
> Hi,
>
> I'm trying to write a new dissector, and failing miserably getting my tree to show, because the tree I'm getting in my dissect_PROTONAME() is always NULL, not sure why.
Nope.
By "my own desegmentation" I assume you mean "my own code to get the TCP dissector to reassemble stuff, rather than using tcp_dissect_pdus() or req_resp_hdrs_do_reassembly()", given that you refer to setting pinfo->desegment_len.
> I'm dissecting over TCP, with (regretfully) my own desegmentation:
Indeed. I cannot use either of the above mentioned methods.
You're setting COL_PROTOCOL before you're doing
> packets 1-3 are syn, syn-ack, ack.
> packet 4 is a start of a PDU, which is not enough to dissect the PDU, although I'm a getting its header. From the header, I'm taking the complete PDU length and therefore setting pinfo->desegment_len to calculated PDU length - length of what I got already ( with the offset = 0).
> This looks nice and correct and indeed seems to be desegmented correctly, BUT:
> packet 4 has my COL_PROTOCOL set (why?, I didn't dissect it eventually)
so you did enough dissection to set the column.
> if (len < pdu_len && redc_desegment) { /* Did not get all the PDU - request the full length of the PDU */
> pinfo->desegment_offset = 0;
> pinfo->desegment_len = pdu_len - len;
> return len;
> }
Even if I'm not setting right away (others do it as well - I've taken it from packet-vnc.c), then it's even worse - all I see is the TCP.
The BGP dissector works the same way; one could argue that it shouldn't.
OK, presumably you know it has COL_PROTOCOL set because row 6 of the packet list has "Spice" in the Protocol column; do you know that it's not dissected because, when you click on that row, you don't see a protocol tree for your protocol?
> packet 5 doesn't (correct, I've asked for more than it has - it just a TCP segment)
> packet 6 has my COL_PROTOCOL set (good) - but the packet isn't dissected there, although now I have the complete data (and TCP desgmentation shows the data is indeed taken from packets 4, 5 ,6 correctly.
Exactly. It's not that it's not dissected - all the right functions are called. But with tree = null, not much is seen.
I can see that TCP correctly shows the 3 segments in packet 6 (that it reassembled from packets 4,5,6).
I wouldn't describe them as "modes"; it's more like "Wireshark generates a protocol tree if it knows it will need one, and in some cases, perhaps, where it doesn't, but doesn't really know that it doesn't". There are no "modes" such that a guarantee is made that, in certain cases, you will be handed a tree and, in other cases, you won't, only that if the tree is going to be displayed or printed you will be handed a tree (if not, that's obviously a bug).
> I do know wireshark has two modes, one of which it goes over packets without the tree set, but I don't get when and where.
From README.developer:
"Wireshark distinguishes between the 2 modes with the proto_tree pointer"
There's also a bit of a hack that attempts to prevent the entire protocol tree from being generated when it's *not* going to be displayed or printed and where some fields *aren't* needed, and some dissectors that, for example, use proto_item_append_string() have to work around - see change r31460, for example.
Again, I think my main issue is that my main dissector function is already called with a null tree. That makes everything afterwards pretty much fail to display.
I did notice it doesn't happen without the desegmentation stuff - so I'm pretty sure it's related to that. Just have no idea why.
Would posting the complete code help?
TIA,
Y.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
- Follow-Ups:
- Re: [Wireshark-dev] Failing to get my tree to show
- From: Guy Harris
- Re: [Wireshark-dev] Failing to get my tree to show
- References:
- [Wireshark-dev] Failing to get my tree to show
- From: Kaul
- Re: [Wireshark-dev] Failing to get my tree to show
- From: Guy Harris
- [Wireshark-dev] Failing to get my tree to show
- Prev by Date: Re: [Wireshark-dev] plugins and C++
- Next by Date: Re: [Wireshark-dev] read error: PacketReceivePacket failed
- Previous by thread: Re: [Wireshark-dev] Failing to get my tree to show
- Next by thread: Re: [Wireshark-dev] Failing to get my tree to show
- Index(es):