Are Lua dissector fields filterable?

Question

I'm wondering how to get the fields declared in a Lua dissector searchable in the filter bar. When trying to declare fields the same way as in various tutorials/samples, despite the fact that the dissector works fine, packets are recognized and decoded, the fields are unavailable to search.

Example :

p_myproto = Proto ("myproto","My Protocol")
local f_command = ProtoField.uint16("myproto.command", "Command", base.HEX)
local f_data = ProtoField.string("myproto.data", "Data", FT_STRING)

p_myproto.fields = {f_command,f_data}

myproto.f_data == in the filter bar gives "myproto.f_data isn't a valid display filter" "myproto.f_data is neither a field nor a protocol name"

Are custom fields supposed to be searchable?

Answer 1

1

You get the error message "myproto.f_data is neither a field nor a protocol name" because you have used a different string for your field's filter string. Try myproto.data in stead.

In the line local f_data = ProtoField.string("myproto.data", "Data", FT_STRING), it is actually the first argument to ProtoField.string that determines the filter string (i.e. "myproto.data"), not the name of the variable into which it is stored (i.e. local f_data).
You could just have easily typed the following, and it would still use myproto.data as the filter string:

local some_data_field_with_a_long_name = ProtoField.string("myproto.data", "Data", FT_STRING)

permanent link

answered 06 Dec '13, 13:30

multipleinte...
1.3k●15●23●40
accept rate: 12%

Hi,

Thanks for answering this. I tried to rename the field but still get the error. Below code for the sake of example :

p_myproto = Proto ("myproto","My Protocol")
local f_command = ProtoField.uint16("myproto.command", "Command", base.HEX)
local f_data = ProtoField.string("testdata", "Data", FT_STRING)
local f_debug = ProtoField.uint8("myproto.debug", "Debug")

p_myproto.fields = {f_command,f_data,f_debug}

function p_myproto.dissector (buf, pkt, root)

  if buf:len() == 0 then return end
  pkt.cols.protocol = p_myproto.name
  subtree = root:add(p_myproto, buf(0))
  subtree:add(f_command, buf(0,2)):append_text(" [Command text]")
  subtree:append_text(", Command details here or in the tree below")

  if f_debug then
    subtree:add(f_debug, buf:len())
  end
end

function p_myproto.init()
end

local tcp_dissector_table = DissectorTable.get("tcp.port")
dissector = tcp_dissector_table:get_dissector(80)
tcp_dissector_table:add(80, p_myproto)

(09 Dec '13, 03:08) lepolac

In this code, you haven't added the f_data field to any part of the tree. You have, however, added the f_command field, so you should be able to filter on myproto.command. Have you looked at the examples at http://wiki.wireshark.org/Lua/Examples ?

(09 Dec '13, 10:35) multipleinte...

Hi, Sorry, didn't catch that one.. This is not my actual dissector, was just trying to quickly give an example. myproto.command doesn't work either, I still get myproto.command isn't a valid display filter. By the way, I tested dozens of various dissectors I found, including the simplest wiki examples, and none of them allow me to access field in the filter. Maybe I'm doing something the wrong way...

(11 Dec '13, 02:02) lepolac

Are Lua dissector fields filterable?

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions