Wireshark · Wireshark-dev: Re: [Wireshark-dev] Dissecting - access previous packet in TCP conversation

[Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>]

On Tue, Nov 23, 2010 at 05:04:13PM +0000, Jon Andersen wrote:

> The protocol I am dissecting requires a bit of data from the previous 
> packet in order to properly dissect the current one.  Using per-packet 
> data (p_get_proto_data(), etc) and per-conversation data 
> (find_conversation()) gets me part of the way there but not all the 
> way.  I can use per-packet data to store the data I need with the 
> packet, but the problem is finding the previous packet when dissecting 
> the current one.

In addition to (or instead of) using per packet data, try using per 
conversation data.  See section 2.2 of README.developer in the doc 
directory of the source code.  A number of dissectors do this from ones 
as simple (these are just examples of one's I've done) as packet-exec.c 
to as complex as packet-vnc.c, which uses per packet and per 
conversation data.

> The problem is that during dissection of the current packet, I need to 
> find the _previous_ packet in the _same_ conversation, in the _same_ 
> direction (e.g., if the command is client-to-server, I need the 
> previous client-to-server packet).  pinfo->fd->prev isn't sufficient 
> because that isn't necessarily the right packet.

If you need to keep a running tab of what the last packet's value was, 
you can save the current packet's (from the correct direction) in the 
per conversation data and then replace it on every new packet you 
dissect so you always have the latest value.  Per conversation is 
probably more often used to set certain values for later use though.