From fc931b8d912ce1be08129b578eba8c26da12813c Mon Sep 17 00:00:00 2001 From: Martin Mathieson Date: Wed, 26 Apr 2017 21:46:14 +0100 Subject: Snort: Ask for needed fields. Doesn't seem to make a difference at the moment, but ask for it regardless. Change-Id: I94ff4f1321b2b2f2cde23f3281a6b79fd7048009 Reviewed-on: https://code.wireshark.org/review/21436 Petri-Dish: Martin Mathieson Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman --- epan/dissectors/packet-snort.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/epan/dissectors/packet-snort.c b/epan/dissectors/packet-snort.c index b1f0c5bef5..1df1a0564f 100644 --- a/epan/dissectors/packet-snort.c +++ b/epan/dissectors/packet-snort.c @@ -109,6 +109,8 @@ static int ett_snort_global_stats = -1; static expert_field ei_snort_alert = EI_INIT; static expert_field ei_snort_content_not_matched = EI_INIT; +static dissector_handle_t snort_handle; + /*****************************************/ /* Preferences */ @@ -1342,6 +1344,14 @@ proto_reg_handoff_snort(void) * work as a non-root user (couldn't read stdin) * TODO: could run snort just to get the version number and check the config file is readable? * TODO: could make snort config parsing less forgiving and use that as a test? */ + + /* Add items we want to try to get to find before we get called. + For now, just ask for tcp.reassembled_in, which won't be seen + on the first pass through the packets. */ + GArray *wanted_hfids = g_array_new(FALSE, FALSE, (guint)sizeof(int)); + int id = proto_registrar_get_id_byname("tcp.reassembled_in"); + g_array_append_val(wanted_hfids, id); + set_postdissector_wanted_hfids(snort_handle, wanted_hfids); } void @@ -1453,8 +1463,6 @@ proto_register_snort(void) expert_module_t* expert_snort; - - dissector_handle_t snort_handle; module_t *snort_module; proto_snort = proto_register_protocol("Snort Alerts", "Snort", "snort"); -- cgit v1.2.1