I have an existing dissector that ends up leaving some of the payload of the packet undissected. The remaining bytes are handled by the generic "data" dissector, and are in a field simply called "data.data". I would like to use Lua to play around with dissecting these bytes. Reading around, it would appear that writing a post-dissector is the easiest way to achieve this. I am relatively new to Lua, but have copied some of the post-dissector examples. I think I need to get the bytes from the data.data field as a TVB, then start processing them from there. However, the following code causes Wireshark (nightly, from last week) to crash: Removing the line where datatvb is used caused Wireshark to stop crashing (but the dissector does nothing). Is this the right way to access the bytes in the data.data field? Is the crashing a bug in Wireshark or my post-dissector? Thanks asked 21 Oct ‘13, 06:32  Alan |
One Answer:
I don't think a post dissector will help here, as the data has already been processed by the 'data' dissector. I think a chained dissector is what you need. First you register the Lua dissector for the same protocol/port, then you call the original dissector (the one that leaves a few bytes). What is left undissected, can then be handled in your Lua dissector. There is a simple example of a chained dissector here: Regards answered 21 Oct '13, 06:46  Kurt Knochner ♦ edited 21 Oct '13, 06:46 |
Thanks for the suggestion. However, while I was glancing in the source code for the dissector in question to work out how a chained dissector might might, I discovered that there is a dissector table that it uses to decide how to process the payload bytes. In my specific case, hooking into the dissector table seems to be the right way - in the general case, it looks like a chained dissector might be right.