On Sep 10, 2012, at 7:37 PM, mmann78@xxxxxxxxxxxx wrote:
> I guess I've always used the rule that simple [1] dissectors (no matter how large) should all have the tree != NULL check before any dissection really takes place.
"Simple" would also have to include "no subdissectors" so that you don't end up skipping subdissector calls if you're not building a protocol tree.
> Most of the "expert info" I've seen is attached to "tree items" along the lines of "field validation" (command/value not supported/recognized, length incorrect, etc). Without the tree, they don't seem very useful.
The "expert info" shows up not only in the protocol tree but also in the Analyze -> Expert Info window, and the highest "expert info" level shows up in a colored light on the status bar (hopefully it's still of use to colorblind users...), so it needs to be added when the capture is first read in.
> I've also seen dissectors that appear to be more geared towards tshark (lots of data in COL_INFO) than Wireshark,
Data in COL_INFO is useful to Wireshark users as well, if they're scanning the packet list pane.
