This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

LUA: Accessing multiple smb2.msg_id values

0

Hi, I'm writing some code that includes the parsing of SMB2 packets. Some packets have, say, three SMB2 apdus. If I use wireshark Apply as column the smb2.msg_id field I see all three msg_id values in the Packet List separated by commas. If I access the msg_id value in my LUA script I get the first msg_id in the packet only.

How can I access all the msg_id values?

Thanks and regards...Paul

asked 22 Aug '14, 15:28

PaulOfford's gravatar image

PaulOfford
131283237
accept rate: 11%


One Answer:

1

Gerald Combs asked a similar question years ago on the Wireshark developers mailing list, and Tamás Regõs provided a response that you may find useful.

To quote:

In case the field occurrence is more than 1 then result of the Field.new will be a table/array and not just 1 value.

Try something like this:

ip_src_f = Field.new("ip.src")
local ip_src_table = { ip_src_f() }

for i,ip_src in ipairs(p_src_table) do
    local src = tostring(ip_src.value)
    -- ....
  end</code></pre><p>Ref: <a href="https://www.wireshark.org/lists/wireshark-dev/201005/msg00115.html">https://www.wireshark.org/lists/wireshark-dev/201005/msg00115.html</a>.</p></div><div class="answer-controls post-controls"></div><div class="post-update-info-container"><div class="post-update-info post-update-info-user"><p>answered <strong>26 Aug '14, 12:54</strong></p><img src="https://secure.gravatar.com/avatar/55158e2322c4e365a5e0a4a0ac3fbcef?s=32&amp;d=identicon&amp;r=g" class="gravatar" width="32" height="32" alt="cmaynard&#39;s gravatar image" /><p><span>cmaynard ♦♦</span><br />

9.4k1038142
accept rate: 20%

Thanks, that sounds promising. I’ll give it a try and feedback the results.

Best regards…Paul

(29 Aug ‘14, 16:16) PaulOfford

Just tested this - it works a treat. Thanks for your help.

(01 Sep ‘14, 23:09) PaulOfford