Wireshark · Wireshark-dev: Re: [Wireshark-dev] Tshark: proto_tree not created on first pass with tap defined

Wireshark-dev: Re: [Wireshark-dev] Tshark: proto_tree not created on first pass with tap define

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Sun, 12 Feb 2017 19:55:15 -0800

The underlying problem here appears to be that the TRANSUM post-dissector is not only adding stuff to the protocol tree, which obviously doesn't need to be done if there is no protocol tree, but is also doing *analysis* of the packet information.

The latter of those should *not* be done in a dissector - it should be done in a tap.

Unfortunately, *currently*, taps are run after all dissectors, including post-dissectors, are run, which might not work for this purpose.  If so, what we probably would need here is to have a mechanism to allow taps to be run "early".  For now, we could define "early" as "before the post-dissectors are run".

Follow-Ups:
- Re: [Wireshark-dev] Tshark: proto_tree not created on first pass with tap defined
  - From: Paul Offord

References:
- [Wireshark-dev] Tshark: proto_tree not created on first pass with tap defined
  - From: Paul Offord
- Re: [Wireshark-dev] Tshark: proto_tree not created on first pass with tap defined
  - From: Guy Harris

Prev by Date: Re: [Wireshark-dev] Tshark: proto_tree not created on first pass with tap defined
Next by Date: Re: [Wireshark-dev] Tshark: proto_tree not created on first pass with tap defined
Previous by thread: Re: [Wireshark-dev] Tshark: proto_tree not created on first pass with tap defined
Next by thread: Re: [Wireshark-dev] Tshark: proto_tree not created on first pass with tap defined
Index(es):
- Date
- Thread