Re: [Wireshark-dev] Is this a bug in display filter engine or something I have done wrong?

Hi Richard. You can use the 'dftest' executable that is built along with Wireshark to convert a display filter string to the byte-code used for the Display Filter Virtual Machine. Do that for for "wlan.dmg_params.bss == 1" and compare that to the output for a similar display filter for another fie

Re: [Wireshark-dev] Recommended QT version to build Wireshark Master ?

I used Qt 5.7 to build on Windows, 64-bit, yesterday and today. Should it be avoided, in favor for Qt 5.6 ? Gilbert On Mon, Sep 12, 2016 at 5:06 PM, Graham Bloice wrote: > > > On 12 September 2016 at 20:22, Bill Meier wrote: > >> On 9/12/2016 3:11 PM, Bill Meier wrote: >> >>> I'm finally getti

Re: [Wireshark-dev] git-review fails with an SSL error

And once you copy the commit-msg hook, you can fix your current commit with: $ git commit --amend It gives you a chance to edit your commit message if you want, but it will also run the commit-msg hook and add a change ID after the fact. You can verity with "git log" to see if the change ID was a

Re: [Wireshark-dev] Wireshark 4.0.1 clone and build fails with test failures and complaints about paths prefixed in the source directory

Try setting WIRESHARK_BASE_DIR to C:\Project Notice in section 2.2.11 at https://www.wireshark.org/docs/wsdg_html_chunked/ChSetupWindows that WIRESHARK_BASE_DIR is the *parent* directory of where the git clone happened. Gilbert On Wed, May 3, 2023 at 9:10 PM wrote: > The issues with building f

[Wireshark-dev] Are we fully moved over to C++ compilers?

What's the state of our toolchain requirements for wireshark and all the programs within it? The CMakeLists.txt indicates we need C++ 11, but also has variables for C_ONLY_FLAGS Some .c/.h files have "#ifdef __cplusplus" and others don't. Basically, if I'm working on a new feature in common code

Re: [Wireshark-dev] Information about troubleshooting Workspace and VM connectivity issues. I wonder.

Hello. I cannot think of a reason why installing Wireshark fixed your connection issues. Maybe it was a coincidence. Gilbert On Fri, Jul 7, 2023 at 9:05 AM 김동환 wrote: > hello. > > I'm a Korean. I have a question. > > Connect to virtualized VM through Workspace via SSLVPN on MacBook. > > The co

Re: [Wireshark-dev] Inquiry about a TCP server packet capture

The difference is 1/100th of a second; that's basically simultaneous for your testing procedure. GIlbert On Tue, Aug 22, 2023 at 10:25 AM Ahmad Haron wrote: > Dear, > Hope you are doing well, > I wrote a simple (Single Threaded and Multi Threaded) TCP echo server, and > captured the packets in

Re: [Wireshark-dev] Changes to the plugin registration API

The GPL FAQ discusses this: https://www.gnu.org/licenses/gpl-faq.en.html#InternalDistribution Is making and using multiple copies within one organization or company “distribution”? (#InternalDistribution ) No, in that case the or

[Wireshark-dev] Re: Latest Protocol dissectors

One way to do that is to watch the Merge requests on gitllab, where Wireshark development happens. https://gitlab.com/wireshark/wireshark/-/merge_requests There you will see the incoming changes. Gilbert On Mon, Aug 19, 2024 at 10:38 AM Nyambe Given Linyotwa < linyotwa...@gmail.com> wrote: > H

Re: [Wireshark-dev] Polling for possible reasons why the 'filter name' does not work

The protocol filter name checks for the existence of the protocol entry in the proto_tree data structure hierarchy. This is done with proto_tree_add_item(), as in this example from packet-ip.c : ti = proto_tree_add_item(tree, proto_ip, tvb, offset, hlen, ENC_NA) Could it be that your "proto_ABC"

Re: [Wireshark-dev] [Wireshark-commits] rev 51742: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-eth.c packet-ieee80211.c

I'll take a look. Gilbert On Wed, Sep 4, 2013 at 8:04 AM, Maynard, Chris < christopher.mayn...@gtech.com> wrote: > Good ideas! > > I haven't dug too deeply into the display filter logic yet though, so if > someone more familiar with it than I am would like to implement it, then > please do. Th

Re: [Wireshark-dev] Tool Ownership and Licensing

tion was not >> to license the script under one of Wireshark's permitted licenses, >> please remove it from the repository (or contact me to that effect). >> >> tools/asn2wrs.py >> > > Thomas Kukosa > > tools/ftsanity.py >> > > Gilbert Ramirez >

Re: [Wireshark-dev] compile test of checkins mandatory ?

I'd prefer to let the buildbots take care of it after the commits, because of the different OSes (and different compilers) that have to be built for full verification. I'm wary of too much pre-commit process. Perhaps the future Gerrit infrastructure can make this part of the workflow, after code-

Re: [Wireshark-dev] "Type-punned pointer... breaks anti-aliasing rules" in dfilter-macro.c

I'm encountering the same problem building on an old RedHat 5.0 system, using gcc 4.1.2. Was there any fix committed to add -fno-strict-aliasing for some configurations? (there doesn't appear to be) Gilbert On Tue, Jun 18, 2013 at 6:09 PM, Evan Huus wrote: > Probably the simplest fix is to ad

Re: [Wireshark-dev] "Type-punned pointer... breaks anti-aliasing rules" in dfilter-macro.c

I have attempted a code fix to remove all the -fstrict-alias warnings uncovered by the old version of gcc I am using. https://code.wireshark.org/review/#/c/40/ Gilbert On Wed, Jan 29, 2014 at 4:37 AM, Gilbert Ramirez wrote: > I'm encountering the same problem building on an old Re

Re: [Wireshark-dev] Rename TVB captured length vs reported length

Sounds good! :) Gilbert On Mon, Feb 17, 2014 at 2:48 PM, Jeff Morriss wrote: > On 02/17/14 17:44, Jakub Zawadzki wrote: > >> Hi, >> >> On Mon, Feb 17, 2014 at 05:07:04PM -0500, Evan Huus wrote: >> >>> After yet another patch submission where this was unclear, I would >>> like to propose the fol

Re: [Wireshark-dev] docbook/README.txt out of date

Starting from section 8, and beyond of this doc: http://www.methods.co.nz/asciidoc/userguide.html But probably more useful is the asciidoc source for the user guide, which is at: http://www.methods.co.nz/asciidoc/asciidoc.txt That is, you can learn by example from the user guide asciidoc source

Re: [Wireshark-dev] Why does nobody use ptvcursor?

Most likely it's just lack of documentation . Gilbert On Jul 9, 2014 7:20 AM, "Evan Huus" wrote: We don't recommend it, we don't even advertise it in the docs, almost no dissectors use it... Is there something wrong with it? Evan _

Re: [Wireshark-dev] Regarding Modification of Display Filters

Is the 2nd protocol known before hand? If so, then I don't understand why the display filter has to me modified on the fly. Can you describe the situation a bit more? Wouldn't it be something like: (other part of display filter) and (if proto1 then "|| proto2" ) in which case, you could say: (

Re: [Wireshark-dev] filter expression required

You're really using the "contains" keyword? That's for strings and binary strings. The spaces in your filter are probably confusing the shell when you invoke wireshark/tshark from the command-line. Are you running on Unix? Use single quotes around your filter: tshark 'udp contains xx

Re: [Wireshark-dev] filter expression required

pcap, but i am not getting any documentation of it. *"Gilbert Ramirez" <[EMAIL PROTECTED]>* Sent by: [EMAIL PROTECTED] 07/02/2007 11:15 AM Please respond to Developer support list for Wireshark To "Developer support list for Wireshark" cc Subject Re: [Wireshark-dev

Re: [Wireshark-dev] filter expression required

t;[EMAIL PROTECTED]>> wrote: yes i am using 'contains' keyword, and i am giving name of my protocol which is a string. i am running it on Windows and i used 'udp contains my_protocol' also but its not working... i need to give filter expressions defined by pc

Re: [Wireshark-dev] filter expression required

BD} -k -f UDP but I want something like *Command line:-* wireshark -i \Device\NPF_{52EFAA93-34C5-4F7E-80AE-638A48E3F1BD} -k -f *UDP contains my_protocol* *so that only my_protocol gets sniffed.* *"Gilbert Ramirez" <[EMAIL PROTECTED]>* Sent by: [EMAIL PROTECTED] 07/02/

Re: [Wireshark-dev] ethernet type

Your application needs to store the type in network order (big-endian order) in the packet before it sends it out. Wireshark is programmed to follow the specifications of the protocol, regardless of what type of CPU wireshark is running on. Similarly, network applications or network stacks must fo

Re: [Wireshark-dev] tvb in a conversation

You can use conversations to share data between packets. However, it knows nothing about tvbuffs. Tvbuffs will be "garbage collected" once they're not referenced anymore. I suppose you could increment the usage count on the tvbuff so that it won't be garbage-collected until the conversation itself

Re: [Wireshark-dev] Startup speed up - remove dissectors?!

It would be nice to be able to split each dissector into two source files... one with the actual dissector code, and one with the registration/cross-reference logic. All the cross-reference logic is loaded into Wireshark at run-time. Only when protocols are actually seen in a file does the dissect

Re: [Wireshark-dev] Startup speed up - remove dissectors?!

What I was visualizing was basically turning all dissectors into plugins, too, since they would be dynamically loaded on-demand. But we need to know when to load them, so we have to load *something* from each dissector. That's what I meant about the registration stuff. Split the main code of the di

Re: [Wireshark-dev] Capture Filter Equivalent of tshark -d optino!

A capture filter will just limit which packets are saved to a file. You can do that with this capture filter: udp port 21000 The capture filter, however, will not set up your "decode as" option; you need to do that outside the capture filter. --gilbert On 11/28/07, Jack Liou <[EMAIL PROTECTED]>

Re: [Wireshark-dev] Dissector - Read data from file

Look at the text2pcap program in the wireshark distribution as an example. You could also use text2pcap. If you can write a program to convert your XML to a text-file hex-dump, then you can execute text2pcap to convert that to a pcap file. --gilbert On 5/28/08, Hans Glück <[EMAIL PROTECTED]> wro

Re: [Wireshark-dev] regarding packet capture

The "doc" directory in the wireshark distribution has lots of good info. Look at README.design, for example. --gilbert On 6/3/08, Amit Paliwal <[EMAIL PROTECTED]> wrote: > > > Hi, > > I frequently use Wireshark for my work, I just want to know how does > wireshark constructs a tree kind of data

Re: [Wireshark-dev] tvb buffer

The pcap library collects the data from the operating system. That gets passed to wireshark and the tvb is created. --gilbert On 6/9/08, Amit Paliwal <[EMAIL PROTECTED]> wrote: > > I know that in wireshark when a farme is selected the top level dissector is > called like ethernet which in turn ca

Re: [Wireshark-dev] proto tree

On Tue, Jun 10, 2008 at 7:10 AM, Guy Harris <[EMAIL PROTECTED]> wrote: > >> what is the use of defining proto_tree and proto_item differently? > > I'm not sure what the rationale was for that. Gilbert? > That's for a very ancient historical reason. The original release of Ethereal used GtkTree

Re: [Wireshark-dev] Start Dissection from an upper layer?

How do the 2nd-layer dissectors get called normally? Because thy register themselves with Wireshark, saying that if "wtap_encap" (the wiretap encapsulation) is a certain type, then call them. for example, from packet-eth.c: dissector_add("wtap_encap", WTAP_ENCAP_ETHERNET, eth_maybefcs_hand

Re: [Wireshark-dev] Start Dissection from an upper layer?

On Tue, Jun 10, 2008 at 7:27 PM, Guillaume Bienkowski <[EMAIL PROTECTED]> wrote: > > What I know is that my packet data will always contain ONLY the 2nd > layer data (Ethernet) and the encapsulated data (TCP, UDP, ...). > I think I misunderstood you. I thought your packets started at IP or IPX.

Re: [Wireshark-dev] wireshark

It's needed so that the display filter engine knows about your fields. --gilbert On 6/18/08, Martin Corraine (mcorrain) <[EMAIL PROTECTED]> wrote: > > > Hello, > > I need someone to clarify the purpose of the field registration. I've read > the readme.developer but I'm still lost. > > Thanks!, >

Re: [Wireshark-dev] Arrival time in the packet's frame

it is metadata added by libpcap; it's not from the packet data itself. Basically anything in the "frame" protocol is metadata. --gilbert On Mon, Aug 18, 2008 at 8:04 PM, Nick Zando <[EMAIL PROTECTED]> wrote: > Hi all, > i'm trying to understand how is calculated the Arrival time in the packet's >

[Wireshark-dev] Proposed changes for using a hex integer to compare against single-byte range slices

Hi. I haven't committed anything to Wireshark in quite a while, so I wanted to gently re-introduce myself into the community by requesting a code review. One of my colleagues at work noticed that it feels more natural to compare a single-byte byte string against a hex integer starting with "0x" th

Re: [Wireshark-dev] Unable to build wireshark-1.6.5

"services" is a strange file; its Makefile dependency is just on the tool that creates it, but in reality it's a snapshot in time of data from a remote server. There should be a way to run a build and NOT regenerated this 'services' files at all; the default services file that comes with the wires

[Wireshark-dev] movement of source files from the top-level directory

The existence of so many source files in the top-level directory of the Wireshark source distribution bothers me. I would love to be able to "ls" the top-level directory and not have it scroll off my screen. I have diagrammed the current Wireshark source directory hierarchy at: http://www.gliffy.

Re: [Wireshark-dev] movement of source files from the top-level directory

e: > > On Mar 7, 2012, at 9:07 PM, Gilbert Ramirez wrote: > > > With this in mind, and by analyzing the groupings in Makefile.common, > I'd like to recommend the following movements: > > > > Create new directory called shark, to contain files common, or almost &g

Re: [Wireshark-dev] packet-ncp2222 build question

Yes, PYTHON is the issue, and yes, this is an attempt to remove ncp from wireshark in the absence of PYTHON. But, that attempt is broken. Good find. Gilbert On Wed, May 9, 2012 at 11:19 AM, Beth wrote: > I've run into a puzzling issue here, perhaps someone can explain it to me. > I'm simpl

Re: [Wireshark-dev] packet-ncp2222 build question

We use Python in other areas... I think we should just require python, and get rid of this hacky workaround. Gilbert On Wed, May 9, 2012 at 11:47 AM, Beth wrote: > Glad to help of course - makes up a little for going in circles all > morning. ;) > > Also note that once this copy occurs, there'

Re: [Wireshark-dev] Is there a try ... finally structure for handling exceptions in dissectors?

You can certainly define any exception you want, and use it within your dissector. There is also proto_tree_add_debug_text() for adding arbitrary text to proto_tree, as debug info. Is that what you are looking for? Gilbert On Sun, Jun 10, 2012 at 9:06 PM, Richard Sharpe wrote: > Hi, > > I hav

Re: [Wireshark-dev] Display filter implementation

There is a makefile target called dftest that is used to test the display filter engine. Its dependencies are the minimal set of dependencies you need. Gilbert On Jul 4, 2012 3:18 AM, "Lloyd" wrote: > On Wed, Jul 4, 2012 at 12:05 AM, Guy Harris wrote: > > > > On Jul 2, 2012, at 8:12 AM, Lloyd w

[Wireshark-dev] moving code around and building on multiple OSes

One of the things I'm interested in working on is moving a few code files around for better organization, and also really making the core engine a standalone library with a well defined API, better separating it from the "front-ends" (wireshark, tshark). I'd love to be able to have a python wrapper

Re: [Wireshark-dev] moving code around and building on multiple OSes

t; On Thu, Jul 12, 2012 at 11:01 AM, Gilbert Ramirez > > wrote: > >> > >> Also on my wish list is a rigorously-defined plugin API, with its own > >> versioning, so that 3rd party plugin writers can know which versions of > >> wireshark their plugins will work

Re: [Wireshark-dev] Setup the filter as string instead of frame[start offset:length]

For some reason your screenshots did not get included. Perhaps you can upload them somewhere and provide URLs to them? Gilbert On Wed, Aug 8, 2012 at 6:05 AM, Kumar, Chandan (Chandan) < chandan.ku...@alcatel-lucent.com> wrote: > My request as follows: > Could you, please help me to make change

Re: [Wireshark-dev] Why the name "Wiretap"?

The README in the wiretap library is as ancient as the intention that it be a replacemente to libpcap. It says: Wiretap is a library that is being developed as a future replacement for libpcap, the current standard Unix library for packet capturing. Libpcap is great in that it is very platform ind

Re: [Wireshark-dev] Filter definitions

The filter code is in epan/dfilter The type system is in epan/ftypes Read doc/README.display_filter for the explanation Gilbert On Thu, Jan 17, 2013 at 9:35 AM, Arshad wrote: > Hello, > > Can anyone assist me in locating the filter definitions in Wireshark > source code. I mean the location w

Re: [Wireshark-dev] How to read a .cap file

You could use libpcap to read the file. http://www.tcpdump.org/ I suppose you could even use the wiretap libary (part of the wireshark distribution) to read it. Or, you can use tshark -Tpdml to dissect the cap file and output XML, which you can then parse. See doc/README.xml-output in the wiresh

Re: [Wireshark-dev] Help

In the source distribution of wireshark, there is a “doc” directory. README.design is small but useful, and README.developer is a very important file to read. Have you read those? Gilbert On Tue, Feb 12, 2013 at 12:03 AM, Ashish Kumar Tripathi < ashish2.tripa...@aricent.com> wrote: > Hi,

Re: [Wireshark-dev] Lemon on a clean build

On a "zero-touch re-build" (what I call a re-build after having changed nothing), I see these steps being performed (in different directories): 1) PERL svnversion.h 2) LEMONgrammar.h CC grammar.lo CCLD libdfilter_generated.la CCLD libdfilter.la 3) LEMONdtd_gramma

Re: [Wireshark-dev] Lemon on a clean build

directory. I'll just leave it like that. Gilbert On Tue, Feb 12, 2013 at 9:13 AM, Gilbert Ramirez wrote: > On a "zero-touch re-build" (what I call a re-build after having changed > nothing), I see these steps being performed (in different directories): > > 1) >

Re: [Wireshark-dev] Fileshark (AKA Dissecting Files with Wireshark)

I've written some tools to read various file formats, and what I have learned from this is that it's really most useful to create: 1. a generic library for reading a file format. 2. an application dissector (i.e, a FileShark dissector) for using the generic library, and providing the API that the

Re: [Wireshark-dev] Fileshark (AKA Dissecting Files with Wireshark)

an what we have now. I am thinking specifically of custom file formats that I would want to write "file dissectors" for (for some proprietary file formats at my job). Thanks, Gilbert On Thu, Jun 20, 2013 at 3:57 PM, Evan Huus wrote: > On Thu, Jun 20, 2013 at 2:39 PM, Gilbert Ramirez

Re: [Wireshark-dev] Fileshark (AKA Dissecting Files with Wireshark)

One thing that comes to mind about how a FileShark GUI should be different from a WireShark GUI is the amount of data that should / can be shown. In my job, I often analyze ELF files. Very big ELF files. One thing I'd like to do in FileShark is to read them, look at the various headers, but not ha

Re: [Wireshark-dev] Understanding a file format with no underlying protocol information

There are some DLT values that are reserved for this type of prototyping. From pcap-bpf.h: #define DLT_USER0 147 #define DLT_USER1 148 #define DLT_USER2 149 ...etc. But be sure to read the comment that precedes these definitions; it's trivial to ask for your own DLT value, as Je

Re: [Wireshark-dev] HELP! - text file in GUI

Yes, you could treat any arbitrary piece of data as "packet" data and have a dissector put it into the wireshark GUI. Where the fake protocol should go in the protocol stack is entirely up to you. You could make it a "link layer", and have wiretap understand it as its own special file format, and

Re: [Wireshark-dev] How many tree items is too many?

Make the limit high, to guard against infinite loops. Not too low, as if we were trying to impose some design on the dissector. So even a number like 10,000 is good. That will guard against infinite loops, and [hopefully] won't break a good dissector. --gilbert On 8/22/06, Gerald Combs <[EMAIL P

Re: [Wireshark-dev] Dissecting a specific layer (the application layer)

You have a new link-layer, the HTTP-request link-layer. You'd have to support that in wiretap, so that wiretap can pass wireshark this data. Then set things up so that the frame dissector in packet-frame.c calls your http_request dissector when the HTTP-request link-layer is seen. I suspect you'l

Re: [Wireshark-dev] WireShark crashes when I try to use a filter on my plugin dissector

On 9/19/06, Bill Fassler <[EMAIL PROTECTED]> wrote: > Thanks Guy, Jaap et al for helping me through this. My plugin dissector > seems to be working pretty well until I try to filter on something. When I > open the expression box and then expand my plugin filter(s), as soon as I > select the field

Re: [Wireshark-dev] Should we check value_strings for NULL termination while registering?

I believe we do this in the build-bot testing, by doing: tshark -G values Since that operation iterates across all the value_string arrays, a non-terminated array will result in an error or at least it should. Is that enough testing? --gilbert On 9/20/06, Ulf Lamping <[EMAIL PROTECTED]> w

Re: [Wireshark-dev] Analyze winpcap packets

I'm not familiar with Labview, or this "plugin" for LabView. What type of file does this plugin produce? I would hope it would produce a pcap-style file (since WinPcap can produce such a file). In that case, the pcap file can be loaded directly into Wireshark with the File | Open menu item. Is th

Re: [Wireshark-dev] Pending stuff for 0.99.4

I'd like to see revision 19680 in the 0.99.4pre2 release. It's a fix to bug 1085. I just checked it in, but the submitter and I have been working on it and testing it for the past 2 weeks. I've done fuzz testing, too. --gilbert ___ Wireshark-dev mailing

Re: [Wireshark-dev] Fetching of Structure from the tvb....

On 10/28/06, prashanth joshi <[EMAIL PROTECTED]> wrote: > Hi, > Suppose the tvb contains a structure and we are supposed to add the > structure elements one by one in to the display tree. > Suppose the structure has the following elements: > char > int > char > int. > Now my thinking is , > We can

Re: [Wireshark-dev] Question: dissector tree display construction

You can always use proto_tree_add_text to add plain text to the dissection tree. But I can tell you from experience that although you may not want to filter on those fields now... in the future you might want to, and another person might need them, too. --gilbert On 11/30/06, Eliot Blennerhasset

Re: [Wireshark-dev] Regarding dissectors.

Yes, multiple dissectors can exist within the same source file. The packet-ip.c file implements the IP and ICMP dissectors, for example. --gilbert On 12/3/06, prashanth joshi <[EMAIL PROTECTED]> wrote: > Hi, > can we have two dissectors in same file. Allready there is a dissector in a > file whic

Re: [Wireshark-dev] Byte order, hf_register_info and value displayed

The last argument of proto_tree_add_item() tells Wireshark the byte order (endianness)... TRUE for little endian, FALSE for big endian. --gilbert On 12/4/06, Hal Lander <[EMAIL PROTECTED]> wrote: > In hf_register_info I declare a field to be FT_UINT16. > Then I use "proto_tree_add_item" to put it

Re: [Wireshark-dev] Capture Filter tns.data_flag.rts

There's a distinction between capture filters and display filters. They use different syntaxes. See: http://www.wireshark.org/faq.html#q7.7 You *can* use display filters with tethereal, but be warned that display filters are slower than capture filters. Use "-R" instead of "-f" --gilbert On 12/

[Wireshark-dev] Re: Inquiry Regarding Protocol Identification Process in Wireshark

In addition to relying on well-known ports (or other similar fields), Wireshark has the concept of a "heuristic decoder", where it tries to guess the protocol based on the content. Look for the word "heuristic" in the Wireshark documentation and source code to see examples. Gilbert On Mon, Mar 31

[Wireshark-dev] Re: Possible exported plain text formatting issue

What the code is silently doing is to set a maximum indent of 160 characters. This is the line: https://gitlab.com/wireshark/wireshark/-/blob/master/epan/print_stream.c?ref_type=heads#L282 (and, lines 320 - 321) For the purposes of writing to a file, I don't see why the indent should have any ma

[Wireshark-dev] Re: Request for Contribution Access – PFCP Juniper Vendor-Specific Dissector Development

Welcome! This is the place to start: https://www.wireshark.org/docs/wsdg_html_chunked/ And specifically: https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcContribute.html Gilbert On Fri, Jul 11, 2025 at 9:52 AM Lavanika Raghavan wrote: > Dear Wireshark Development Team, > > I hope this me

[Wireshark-dev] Re: g_new0() allocation in init_iousers()

Correct, we don't want to free the allocation directly in the init function. Look at epan/tap.h for the documentation on register_tap_listener. The 2nd argument is "tapdata", or, the instance of the tap and all its state. If you look at tap-rpcprogs.c, in rpcprogs_init(), you'll see a much clearer

[Wireshark-dev] Re: Changes in the latest dev code (since 4.4.7) which heavily impacted PROTO_TREE_MAX_IDLE

The way the packet-nr-rrc.c dissector is adding many fields for the same bytes in the packet isn't playing well with the "start_idle_count" logic that was added to new_field_info() in proto.c When I add a debugging printf like this: diff --git a/epan/proto.c b/epan/proto.c index 12758f9d00..c91fc