I'd like to extend an existing dissector. Current dissector display the field as a string and I would like to parse this string into tokens. Finding the handler is easy - method find_dissector, I know the field name that needs extension. How do I take over current handling? asked 11 Nov '13, 00:27  yosefk |
One Answer:
You can do that
Regards answered 11 Nov '13, 07:11  Kurt Knochner ♦ Following Lua solution path. The next step is to register ProtoField dynamically. After dividing uri into tokens, I'd like to display each token by key and value. First step is to create ProtoField for each found token (Done). The second step is to add the new ProtoField into existing Proto.fields. I couldn't find references in http://www.wireshark.org/docs/wsug_html_chunked/wsluarm.html Thanks YosefK (12 Nov '13, 04:16) yosefk can you post your code? (12 Nov '13, 04:19) Kurt Knochner ♦
wait a moment. Can you please be more precise on that? Do you want to add a new field directly next/beneath the original HTTP fields? If so, that does not work, as I mentioned in my answer. See also the screenshot in the link I posted. As you can see, the new decimal format of the If you want to add your fields somewhere else (directly next to the original fields and/or replacing the original fields), you need to modify the HTTP dissector code directly. (12 Nov '13, 04:42) Kurt Knochner ♦ |
Are you trying to do this with LUA? Supplying a patch to the dissector in C trough bugzilla would be a better idea.
I'm trying to extend http.request.uri field. The way I thought of doing it is: 1) attach to http handler (find_dissector) 2) register expert method to http.request.uri that will parse uri string into tokens. One issue is how to take control of http.request.uri handling from http dissector. Another issue is to plugin this extension. the plugin description is for new protocols handling. I want to extend handling of a standard, existing. protocol.