This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have an existing dissector that ends up leaving some of the payload of the packet undissected. The remaining bytes are handled by the generic "data" dissector, and are in a field simply called "data.data". I would like to use Lua to play around with dissecting these bytes. Reading around, it would appear that writing a post-dissector is the easiest way to achieve this. I am relatively new to Lua, but have copied some of the post-dissector examples.

I think I need to get the bytes from the data.data field as a TVB, then start processing them from there. However, the following code causes Wireshark (nightly, from last week) to crash:

-- test
local TestDissector = Proto("testdissect", "Test LUA dissector")
register_postdissector(TestDissector)

-- fields to be read
data_f = Field.new("data.data")
function TestDissector.dissector(tvb, pinfo, tree)
  local data = data_f()
  local datatvb
  if data then
    datatvb = data.range
    -- dissect bytes in datatvb here
  end
end

Removing the line where datatvb is used caused Wireshark to stop crashing (but the dissector does nothing). Is this the right way to access the bytes in the data.data field? Is the crashing a bug in Wireshark or my post-dissector?

Thanks

asked 21 Oct '13, 06:32

Alan's gravatar image

Alan
1111
accept rate: 0%


I don't think a post dissector will help here, as the data has already been processed by the 'data' dissector.

I think a chained dissector is what you need. First you register the Lua dissector for the same protocol/port, then you call the original dissector (the one that leaves a few bytes). What is left undissected, can then be handled in your Lua dissector.

There is a simple example of a chained dissector here: http://delog.wordpress.com/2010/09/27/create-a-wireshark-dissector-in-lua/

Regards
Kurt

permanent link

answered 21 Oct '13, 06:46

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 21 Oct '13, 06:46

1

Thanks for the suggestion. However, while I was glancing in the source code for the dissector in question to work out how a chained dissector might might, I discovered that there is a dissector table that it uses to decide how to process the payload bytes. In my specific case, hooking into the dissector table seems to be the right way - in the general case, it looks like a chained dissector might be right.

(22 Oct '13, 08:21) Alan
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×431
×24

question asked: 21 Oct '13, 06:32

question was seen: 5,922 times

last updated: 22 Oct '13, 08:21

p​o​w​e​r​e​d by O​S​Q​A