This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

CAN-over-Ethernet LUA dissector

0

Hello, I'm writing a Lua dissector for a custom simple protocol. My protocol basically wraps CAN frames over ethernet media.

Thus, wireshark captures ethernet frames from the ethernet card, and I hooked to them my LUA dissector. I can successfully parse some fields (timestamp and other random flags) and I can extract CAN ID, CAN len, and CAN payload.

Then I would like to chain to the standard wireshark CAN dissector, but I failed to do this. If I do:

local can_dis = Dissector.get("can")

Wireshark complains about not found dissector "bad argument #1 to 'get' (Dissector_get: No such dissector)".

The "can" dissector should anyway be present in my Wireshark since I used it with socketcan devices successfully, and from menu "Internals->Supported protocol" it seems "can" is correctly listed. BTW version is 1.10.2 (SVN Rev 51934 from /trunk-1.10) (Linux)

Any suggestion would be appreciated :)

Thanks Andrea

asked 29 Apr '14, 05:27

Andrea's gravatar image

Andrea
6225
accept rate: 0%

For that to work I think the can dissector needs to register by name. Check if it does.

(29 Apr '14, 08:20) Anders ♦

Is it possible to register a dissector from LUA script ? Can you please tell me how? Thank you

(29 Apr '14, 23:46) Andrea

One Answer:

1

What Anders means is: in order for you to call a built-in Wireshark dissector such as the CAN one by using Dissector.get("can"), the CAN dissector needs to have registered itself by name, which it does not do. "CAN" shows up in "Supported Protocols", but those are registered protocols not registered dissectors; it's not a one-to-one relationship for protocols and dissectors.

There are multiple ways dissectors can register themselves to handle dissecting frames/packets. For the CAN protocol, it registers its dissector in two tables by number: in the "wtap_encap" table, and in the "sll.ltype" table. The "wtap_encap" table is a table used for wiretap encapsulation types, and the CAN dissector is registered for the encapsulation type number defined by "WTAP_ENCAP_SOCKETCAN" in C-code, which is the same as the Lua "wtap_encaps.SOCKETCAN" field in init.lua.

So that means you can get the CAN dissector by getting that number's entry from the DissectorTable for "wtap_encap", like this:

local encap_tbl = DissectorTable.get("wtap_encap")
local can_dis   = encap_tbl:get_dissector(wtap_encaps.SOCKETCAN)

or this is quicker:

local can_dis = DissectorTable.get("wtap_encap"):get_dissector(wtap_encaps.SOCKETCAN)

As an aside... to see what dissectors are registered by name, you can use the Lua Dissector.list() function which was introduced in release 1.11.3, like so:

local t = Dissector.list()

for _,name in ipairs(t) do print(name) end

If you do that, you’ll see there is no dissector named “can”.

You can also see what the available DissectorTables are by using the new Lua DissectorTable.list() function as of 1.11.3, like so:

local dt = DissectorTable.list()

for _,name in ipairs(dt) do print(name) end

If you do that, you’ll see there is one named “wtap_encap”, as well as the one named “sll.ltype”.

answered 30 Apr ‘14, 11:09

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

You could submit a patch to the can dissector to register by name.

(30 Apr ‘14, 14:30) Anders ♦

Thanks for your detailed explanation: I appreciate it a lot. And it worked! :)

About submitting the patch, maybe I will do that also.

Thanks Andrea

(01 May ‘14, 23:15) Andrea