This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am using a sniffer (Uracoli) for wireless frames IEEE 802.15.4. When I see them in Wireshark, the packet details show the following tree (example):

+ Frame 1550: 28 bytes on wire...
+ IEEE 802.15.4 Data, Dst: 0x0000, Src: 0x0002
+ Data (17 Bytes)

Then, I have developed a custom protocol inside the "data" (=payload) field. I want to write a lua-based dissector to manage the new protocol. I.e. it should be like this (another example)

+ Frame 1550: 28 bytes on wire...
+ IEEE 802.15.4 Data, Dst: 0x0000, Src: 0x0002
- My Custom Message type 0x0A
    + Custom field 1
    + Another field 2

I have seen other posts, and I have the following in my .lua file:

 my_prot = Proto("my_prot","My Protocol")
 local IEEE802154_table = DissectorTable.get("wtap_encap")
 local IEEE802154_dissector = IEEE802154_table:get_dissector(104) -- 104 = "IEEE802_15_4" frames

 function my_prot.dissector(buffer, pinfo, tree)
      IEEE802154_dissector:call(buffer, pinfo, tree)

      -- How can I dissect ONLY the payload (data) of the 802.15.4 frame?

 end

 IEEE802154_table:add (104, my_prot);

Some options I have tried:

  • Using "buffer(offset,len)" to select the data I don't like because the data content may have different offsets from the start of frame.

  • Using "Field.new("data.data")" generates trouble like "A Field extractor must be defined before Taps of Dissectors get called".


Thank you so much!
Jose Antonio

asked 09 Mar '15, 06:06

JoseATG's gravatar image

JoseATG
6112
accept rate: 0%


What you (probably) need is a postdissector in Lua.

http://wiki.wireshark.org/Lua/Examples/PostDissector

You can also have a look at questions tagged with postdissector.

https://ask.wireshark.org/tags/postdissector/

You'll aslo find sample code in some of these questions.

Regards
Kurt

permanent link

answered 09 Mar '15, 14:04

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 09 Mar '15, 14:07

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×431
×58
×13
×5

question asked: 09 Mar '15, 06:06

question was seen: 1,825 times

last updated: 09 Mar '15, 14:07

p​o​w​e​r​e​d by O​S​Q​A