This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dissect data using Lua post-dissector

0

I have an existing dissector that ends up leaving some of the payload of the packet undissected. The remaining bytes are handled by the generic "data" dissector, and are in a field simply called "data.data". I would like to use Lua to play around with dissecting these bytes. Reading around, it would appear that writing a post-dissector is the easiest way to achieve this. I am relatively new to Lua, but have copied some of the post-dissector examples.

I think I need to get the bytes from the data.data field as a TVB, then start processing them from there. However, the following code causes Wireshark (nightly, from last week) to crash:

-- test
local TestDissector = Proto("testdissect", "Test LUA dissector")
register_postdissector(TestDissector)

– fields to be read data_f = Field.new("data.data") function TestDissector.dissector(tvb, pinfo, tree) local data = data_f() local datatvb if data then datatvb = data.range – dissect bytes in datatvb here end end

Removing the line where datatvb is used caused Wireshark to stop crashing (but the dissector does nothing). Is this the right way to access the bytes in the data.data field? Is the crashing a bug in Wireshark or my post-dissector?

Thanks

asked 21 Oct ‘13, 06:32

Alan's gravatar image

Alan
1111
accept rate: 0%


One Answer:

0

I don't think a post dissector will help here, as the data has already been processed by the 'data' dissector.

I think a chained dissector is what you need. First you register the Lua dissector for the same protocol/port, then you call the original dissector (the one that leaves a few bytes). What is left undissected, can then be handled in your Lua dissector.

There is a simple example of a chained dissector here: http://delog.wordpress.com/2010/09/27/create-a-wireshark-dissector-in-lua/

Regards
Kurt

answered 21 Oct '13, 06:46

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 21 Oct '13, 06:46

1

Thanks for the suggestion. However, while I was glancing in the source code for the dissector in question to work out how a chained dissector might might, I discovered that there is a dissector table that it uses to decide how to process the payload bytes. In my specific case, hooking into the dissector table seems to be the right way - in the general case, it looks like a chained dissector might be right.

(22 Oct '13, 08:21) Alan