This is our old Q&A Site. Please post any new questions and answers at

I have an existing dissector that ends up leaving some of the payload of the packet undissected. The remaining bytes are handled by the generic "data" dissector, and are in a field simply called "". I would like to use Lua to play around with dissecting these bytes. Reading around, it would appear that writing a post-dissector is the easiest way to achieve this. I am relatively new to Lua, but have copied some of the post-dissector examples.

I think I need to get the bytes from the field as a TVB, then start processing them from there. However, the following code causes Wireshark (nightly, from last week) to crash:

-- test
local TestDissector = Proto("testdissect", "Test LUA dissector")

-- fields to be read
data_f ="")
function TestDissector.dissector(tvb, pinfo, tree)
  local data = data_f()
  local datatvb
  if data then
    datatvb = data.range
    -- dissect bytes in datatvb here

Removing the line where datatvb is used caused Wireshark to stop crashing (but the dissector does nothing). Is this the right way to access the bytes in the field? Is the crashing a bug in Wireshark or my post-dissector?


asked 21 Oct '13, 06:32

Alan's gravatar image

accept rate: 0%

I don't think a post dissector will help here, as the data has already been processed by the 'data' dissector.

I think a chained dissector is what you need. First you register the Lua dissector for the same protocol/port, then you call the original dissector (the one that leaves a few bytes). What is left undissected, can then be handled in your Lua dissector.

There is a simple example of a chained dissector here:


permanent link

answered 21 Oct '13, 06:46

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 21 Oct '13, 06:46


Thanks for the suggestion. However, while I was glancing in the source code for the dissector in question to work out how a chained dissector might might, I discovered that there is a dissector table that it uses to decide how to process the payload bytes. In my specific case, hooking into the dissector table seems to be the right way - in the general case, it looks like a chained dissector might be right.

(22 Oct '13, 08:21) Alan
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 21 Oct '13, 06:32

question was seen: 6,202 times

last updated: 22 Oct '13, 08:21

p​o​w​e​r​e​d by O​S​Q​A