Wireshark · Wireshark-dev: Re: [Wireshark-dev] Tshark: proto_tree not created on first pass with tap defined

Wireshark-dev: Re: [Wireshark-dev] Tshark: proto_tree not created on first pass with tap define

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Sun, 12 Feb 2017 19:13:43 -0800

On Feb 10, 2017, at 12:15 AM, Paul Offord <Paul.Offord@xxxxxxxxxxxx> wrote:

> It's normal for a dissector to be called with a NULL proto_tree pointer on the first pass *unless* a tap has been registered.

Actually, it's currently normal, in TShark, if you're doing two-pass processing, for taps not to be called on the first pass, so it's currently irrelevant whether a tap has been registered or not - no protocol tree is constructed on the first pass of two-pass processing unless it's needed for filtering, so no protocol tree is passed to dissectors, including post-dissectors, on the first pass of two.

If your post-dissector (which is *not* a tap) needs to be called with a protocol tree on *every* pass, that means that we need a way for post-dissectors to *directly* indicate that they need a protocol tree, *separate* from anything related to tap registration.  Taps should not be registered solely as a way to affect *other* code, such as a post-dissector.

Follow-Ups:
- Re: [Wireshark-dev] Tshark: proto_tree not created on first pass with tap defined
  - From: Guy Harris

References:
- [Wireshark-dev] Tshark: proto_tree not created on first pass with tap defined
  - From: Paul Offord

Prev by Date: Re: [Wireshark-dev] Release package for Mac
Next by Date: Re: [Wireshark-dev] Tshark: proto_tree not created on first pass with tap defined
Previous by thread: Re: [Wireshark-dev] Tshark: proto_tree not created on first pass with tap defined
Next by thread: Re: [Wireshark-dev] Tshark: proto_tree not created on first pass with tap defined
Index(es):
- Date
- Thread