This is a static archive of our old Q&A Site. Please post any new questions and answers at

Display multiple PDUs in a TCP segment


With lots of help, I now understand that a Lua dissector that is meant to extract multiple higher-level PDUs from a given TCP segment must implement its own loop. As an example, I have implemented such a dissector for the TRIVIAL protocol (see homemade packet capture). Running tshark shows:

1 0.000000 6666     7777 TRIVIAL 68 Trivial Info
2 0.000001 6666     7777 TRIVIAL 60 Trivial Info

By running tshark -V, I can see the (multiple) contained Trivial Protocol Data subtrees in these segments. Progress!

Is there any way to have the output of tshark show something like:

1 0.000000 6666     7777 TRIVIAL 68 Trivial Info
1 0.000000 6666     7777 TRIVIAL 68 Trivial Info
1 0.000000 6666     7777 TRIVIAL 68 Trivial Info
2 0.000001 6666     7777 TRIVIAL 60 Trivial Info

that is, one row per TRIVIAL PDU rather than one row per TCP segment?

asked 10 Mar '14, 05:42

yotommy's gravatar image

accept rate: 0%

2 Answers:


Th short answer: not currently.

I believe there have been some previous similar requests and some discussions about same.

Something like implementing an expandable "treeview" for a summary line ?

I think a Google search " ..." with some appropriate search terms may find the previous discussions.

answered 10 Mar '14, 05:52

Bill%20Meier's gravatar image

Bill Meier ♦♦
accept rate: 17%

Thanks - I found this: (which contains pointers to other similar discussion items). I guess a workaround is to have the dissector print out exactly the info I need, and add a display filter to wireshark that will effectively suppress the default output.

(10 Mar '14, 06:05) yotommy


Welll, well... it appears Lua can do something C-code can't. :)

Here's your Trivial dissector, with multi-line tshark output (you may need to tweak the makeLine function):

-- declare our protocol
local trivial_proto = Proto("trivial","Trivial Protocol")

local trivial_pdu_len = 4 local makeLine

local function dissect_common(buffer, pinfo, tree, offset)

local subtree = tree:add(trivial_proto,buffer(offset,trivial_pdu_len),"Trivial Protocol Data")

subtree:add(buffer(offset,2),"The first two bytes: " .. buffer(offset,2):uint())
subtree = subtree:add(buffer(2,2),"The next two bytes")
subtree:add(buffer(offset+2,1),"The 3rd byte: " .. buffer(offset+2,1):uint())
subtree:add(buffer(offset+3,1),"The 4th byte: " .. buffer(offset+3,1):uint())

local output = "Trivial Info (" .. buffer(offset,2):uint() ..")"

-- return number of bytes consumed so that more trivial PDUs can be discovered
return trivial_pdu_len, output


– create a function to dissect it function trivial_proto.dissector(buffer, pinfo, tree)
pinfo.cols.protocol = "TRIVIAL"

local pktlen = buffer:len()

local consumed, output = dissect_common(buffer, pinfo, tree, 0)
local remaining = pktlen - consumed

while remaining >= trivial_pdu_len do
    consumed, output = dissect_common(buffer, pinfo, tree, pktlen - remaining),output))
    remaining = remaining - consumed

if remaining > 0 then
    pinfo.desegment_offset = pktlen - remaining
    pinfo.desegment_len = trivial_pdu_len - remaining

return pktlen - remaining


– load the tcp.port table local tcp_table = DissectorTable.get("tcp.port") – register our protocol to handle udp port 7777 tcp_table:add(7777,trivial_proto)

– helper function to enable multi-line packet output makeLine = function (pinfo,output) local rel_time = string.format("%.6f\t", pinfo.rel_ts)

local line = {
    "\n ",

return table.concat(line," ")


Okay, okay… so I’m totally cheating. But hey it works! ;)

answered 10 Mar ‘14, 07:36

Hadriel's gravatar image

accept rate: 18%

Very sneaky! Great, thanks for the help.

(10 Mar ‘14, 08:15) yotommy