This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

LUA dissector field in display filter

0

Hi,

I'm trying to register some fields within a dissector, to be able to use them in the display filter. Tried different things but none of them worked, a simple example below :

DUMMYPROTOCOL = Proto ("DUMMYPROTOCOL", "B tcp Protocol")
magic = ProtoField.uint32 ("DUMMYPROTOCOL.magic", "Magic")
DUMMYPROTOCOL.fields = { magic }

function DUMMYPROTOCOL.dissector (buffer, pinfo, tree)
subtree = tree:add (DUMMYPROTOCOL, buffer())
– Modify columns
pinfo.cols.protocol = DUMMYPROTOCOL.name
pinfo.cols.info = "PROTOCOL B"
subtree:add("hey")


local offset = 0


while ( offset < buffer:len() - 4) do
if buffer(offset,4):uint() == 0x12345678 then
subtree:add(magic,buffer(offset,4))
break
end
offset = offset + 1
end

end

The field doesn’t seem to be registered properly, I get “isn’t a valid display filter” “dommyprotocol.magic” is neither a field nor a protocol name, when trying to search for it. Any ideas ?

Thanks

asked 06 Jan ‘14, 02:50

lepolac's gravatar image

lepolac
16446
accept rate: 0%

edited 06 Jan ‘14, 02:50

One Answer:

0

I get "isn't a valid display filter" "dommyprotocol.magic"

two things:

  1. the error message says: 'dommyprotocol.magic', whereas the code says 'DUMMYPROTOCOL.magic', but that might be just a typo ;-)
  2. You defined the field all uppercase, so you'll have to search for the uppercase field as well. Please try to search for: DUMMYPROTOCOL.magic

Regards
Kurt

answered 08 Jan '14, 09:13

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hi, thanks for the reply. 1. yeah, typo :) 2. interestingly, I can search for the protocol name (DUMMYPROTOCOL) only in lowercase, even if defined in uppercase. Makes sense as 'tcp' work but not "TCP" for example. But regardless, it can't find the field.

(08 Jan '14, 09:33) lepolac

O.K. I did not yet check your code, so what happens, if you define all lowercase?

UPDATE: all lowercase works on my system (Windows - Wireshark 1.10.x)

(08 Jan '14, 09:35) Kurt Knochner ♦

I get the same error, "dummyprotocol.magic" isn't a valid display filter: "dummyprotocol.magic" is neither a field nor a protocol name. I've got 1.8.5. interesting...

(08 Jan '14, 09:48) lepolac

Can you please test with 1.10.x?

(08 Jan '14, 10:27) Kurt Knochner ♦