Wireshark-dev: Re: [Wireshark-dev] Packet sample repository/library?
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Sat, 24 Dec 2016 14:30:43 +0100
On Wed, Dec 21, 2016 at 03:51:51PM -0500, Jeff Morriss wrote:
> On Wed, Dec 21, 2016 at 5:28 AM, Peter Wu <peter@xxxxxxxxxxxxx> wrote:
> 
> > > 2) Won't be good idea to allow skip a sample from automatic testing
> > > (because it is for GUI demonstration)?
> >
> > You can invoke individual tests (which is most likely what you want when
> > you are testing changes to a single dissector). GUI versus tshark
> > single-pass and two-pass (-2) should produce the same results.
> >
> 
> Maybe this isn't quite what you meant but it *is* (semi-)normal that 1- and
> 2- pass results are different.  At least for generated fields (that require
> information from the first pass to calculate--e.g., links to frames that
> occur later in the capture).  [Or do those fields not show up in tshark's
> 2nd pass either?  My memory is fading...]

You are right, I was a bit imprecise. In the context of VoIP calls, when
the 1-pass recognizes a conversation, the same conversation *should*
also be found by the 2-pass. Indeed, dissectors can add extra
information in the 2-pass (like a "Response in frame X" link) and these
would show in the tshark -2 output as well.
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl