This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello, I'm writing a Lua dissector for a custom simple protocol. My protocol basically wraps CAN frames over ethernet media.

Thus, wireshark captures ethernet frames from the ethernet card, and I hooked to them my LUA dissector. I can successfully parse some fields (timestamp and other random flags) and I can extract CAN ID, CAN len, and CAN payload.

Then I would like to chain to the standard wireshark CAN dissector, but I failed to do this. If I do:

local can_dis = Dissector.get("can")

Wireshark complains about not found dissector "bad argument #1 to 'get' (Dissector_get: No such dissector)".

The "can" dissector should anyway be present in my Wireshark since I used it with socketcan devices successfully, and from menu "Internals->Supported protocol" it seems "can" is correctly listed. BTW version is 1.10.2 (SVN Rev 51934 from /trunk-1.10) (Linux)

Any suggestion would be appreciated :)

Thanks Andrea

asked 29 Apr '14, 05:27

Andrea's gravatar image

Andrea
6225
accept rate: 0%

For that to work I think the can dissector needs to register by name. Check if it does.

(29 Apr '14, 08:20) Anders ♦

Is it possible to register a dissector from LUA script ? Can you please tell me how? Thank you

(29 Apr '14, 23:46) Andrea

What Anders means is: in order for you to call a built-in Wireshark dissector such as the CAN one by using Dissector.get("can"), the CAN dissector needs to have registered itself by name, which it does not do. "CAN" shows up in "Supported Protocols", but those are registered protocols not registered dissectors; it's not a one-to-one relationship for protocols and dissectors.

There are multiple ways dissectors can register themselves to handle dissecting frames/packets. For the CAN protocol, it registers its dissector in two tables by number: in the "wtap_encap" table, and in the "sll.ltype" table. The "wtap_encap" table is a table used for wiretap encapsulation types, and the CAN dissector is registered for the encapsulation type number defined by "WTAP_ENCAP_SOCKETCAN" in C-code, which is the same as the Lua "wtap_encaps.SOCKETCAN" field in init.lua.

So that means you can get the CAN dissector by getting that number's entry from the DissectorTable for "wtap_encap", like this:

local encap_tbl = DissectorTable.get("wtap_encap")
local can_dis   = encap_tbl:get_dissector(wtap_encaps.SOCKETCAN)

or this is quicker:

local can_dis = DissectorTable.get("wtap_encap"):get_dissector(wtap_encaps.SOCKETCAN)

As an aside... to see what dissectors are registered by name, you can use the Lua Dissector.list() function which was introduced in release 1.11.3, like so:

local t = Dissector.list()

for _,name in ipairs(t) do
    print(name)
end

If you do that, you'll see there is no dissector named "can".

You can also see what the available DissectorTables are by using the new Lua DissectorTable.list() function as of 1.11.3, like so:

local dt = DissectorTable.list()

for _,name in ipairs(dt) do
    print(name)
end

If you do that, you'll see there is one named "wtap_encap", as well as the one named "sll.ltype".

permanent link

answered 30 Apr '14, 11:09

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

You could submit a patch to the can dissector to register by name.

(30 Apr '14, 14:30) Anders ♦

Thanks for your detailed explanation: I appreciate it a lot. And it worked! :)

About submitting the patch, maybe I will do that also.

Thanks Andrea

(01 May '14, 23:15) Andrea
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×431
×87
×14

question asked: 29 Apr '14, 05:27

question was seen: 3,358 times

last updated: 01 May '14, 23:15

p​o​w​e​r​e​d by O​S​Q​A