This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Input for a dissector

1
1

Hi,

I'm writing a dissector for Wireshark with lua. (not the first).

But I have the following problem. Analyzing the data that I want to be split among the TCP level is already to some extent by an ISO 8075.(COPT Protocol) And I just want to be among the Datadump. Use for my dissector.

Currently I use: tcp_encap_table DissectorTable.get = ("tcp.port) tcp_encap_table: add (102, matze_proto) Here I get data data I do not want to use.

Is there any way the possibility of something similar as tcp_encap_table DissectorTable.get = ("ISO-8073") tcp_encap_table: add (***, matze_proto) to get to run? I think I need the name of the dissectortable copt(ISO-8073). But I don´t know where i can find it.

Im greatly appreciate for any help or suggestions.

Greeting Matze

asked 07 Apr '11, 23:32

MatzeB's gravatar image

MatzeB
16122
accept rate: 0%

retagged 29 Apr '11, 22:03

helloworld's gravatar image

helloworld
3.1k42041

Sorry for my bad english:-)

(07 Apr '11, 23:33) MatzeB

One Answer:

1

ISO 8073 is actually COTP (Connection Oriented Transport Protocol), not "COPT". here is an example of using dissector chaining to get to the COTP data:

do
        local cotp_wrapper_proto = Proto("cotp_wrapper", "COTP Wrapper");
        local original_cotp_dissector = nil

    -- Declare a field extractor to check for the
    -- presence of COTP in the current packet.
    local f_cotp = Field.new("cotp")

    function cotp_wrapper_proto.dissector(tvbuffer, pinfo, treeitem)

            -- let the actual dissector parse the data at TCP port 102
            -- (it might not be COTP but we'll find out soon below)
            if original_cotp_dissector then
                original_cotp_dissector:call(tvbuffer, pinfo, treeitem)
            end

            -- if the "cotp" field exists, the packet has COTP and
            -- tvbuffer is the COTP data
            if f_cotp() then
                debug("COTP: " .. tostring(tvbuffer))
            end
    end

    local tcp_dissector_table = DissectorTable.get("tcp.port")
    original_cotp_dissector = tcp_dissector_table:get_dissector(102) -- save the original dissector so we can still get to it
    tcp_dissector_table:add(102, cotp_wrapper_proto)                 -- and take its place in the dissector table



end

answered 28 Apr ‘11, 14:05

bstn's gravatar image

bstn
3751415
accept rate: 14%

edited 28 Apr ‘11, 14:06