Wireshark-dev: Re: [Wireshark-dev] What is the best way to create a stateful dissector?
From: Bill Meier <wmeier@xxxxxxxxxxx>
Date: Tue, 22 Nov 2011 19:02:01 -0500
On 11/22/2011 6:38 PM, Bill Meier wrote:
On 11/22/2011 6:19 PM, Kenny Ho wrote:
Hi,

I am writing my first dissector and it needs to dissect a packet base
on some information in previous packets. The protocol also allows
multiple of these stream mux together. What is the best way to
create a stateful dissector? From the dev guide, I notice there are
two different mechanisms that is "stateful" - the tap and the
"conversation". From what I can tell, tap seems to be for
post-processing of stats only. So is the "conversation" mechanism
the best way to implement a stateful dissector?

Yes: In addition to the dev guide, see doc/README.developer.

Did I miss any some other mechanism?

Note that it's possible (but less desirable due to memory usage) to store
"per-packet" state info (see README.developer section 2.5).


Be aware that after the first pass that packets may be redissected in any order depending upon factors such as when they are selected or when they are displayed and so on.

'pinfo->fd->flags.visited' can be examined to determine if a frame is being dissected for the first time (during the first pass when a file is being read).

(See below for some recent comments by Guy Harris).

So, it may be the case that you'll need to store "per-frame" info about any decisions made as to how to dissect a particular packet based upon a previous packet.

When an arbitrary packet is then dissected again later the associated per-packet info is used to do the dissection in the same way as done during the first sequential pass.

====================

Comments bu Guy Harris from a recent -dev EMail

For "pass" in the sense of "sequential pass over all packets", there is no guarantee that there's more than one "pass", that pass being the one where the file is read in. However, packets can, after they've been dissected in the first pass, be subsequently visited in any order (no guarantee that it's sequential).

There is also no guarantee that tree will, or will not, be null on the first pass; dissectors should make no assumptions about that.

All work to construct state needed for request/response tracking, etc. must be done in the first pass, regardless of whether tree is null or not (see the note two paragraphs ago about visits to packets after they've been dissected in the first pass, in particular "no guarantee that it's sequential").