This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I replace “Unknown” to other text of valuestring in Lua dissector

0

I made dissector in Lua as following. And decorded as "MYPROTO" TCP payload. When the first byte of TCP palyload is 0x02, dissector shows "First byte: Two (2)". But the first byte is not 0x02 (for example 0x01), dissector shows "First byte: Unknown (1)". I want to show "First byte: Not two (1)". How can I replace default string ("Unknown") to other string?

local myproto = Proto("myproto", "My Protocol")
myproto.fields = {ProtoField.uint8("myproto.firstbyte", "First byte", base.DEC, {[2] = "Two"})}
function myproto.dissector (buf, pkt, root)
   local t = root:add(myproto, buf())
   t:add(myproto.fields[1], buf(0, 1))
end
DissectorTable.get("tcp.port"):add(10000, myproto)

asked 07 Apr '15, 20:55

cosmos's gravatar image

cosmos
6224
accept rate: 0%

One Answer:

1

You can add your own string like this

local myproto = Proto("myproto", "My Protocol") function myproto.dissector (buf, pkt, root) local t = root:add(myproto, buf()) local s1 = "Mystring" t:add(buf(0, 1),string.format("First Byte: %s %d",s1,buf(0,1):uint())) end local tcp_table = DissectorTable.get("tcp.port") tcp_table:add(8443, myproto) tcp_table:add(61639, myproto)

You can also append the text after buf like this t:add(buf(0, 1),string.format("First Byte: %s %d",s1,buf(0,1):uint())):append_text("Demo")

answered 08 Apr '15, 22:49

ankit's gravatar image

ankit
65232328
accept rate: 25%

Do you want to say that I should not use valuestring feature of ProtoFiled()?

(08 Apr '15, 23:22) cosmos
1

if you want to use valuestring then you have to create each and every entry of first byte of TCP payload of each and every frame in your pcap file. like this myproto.fields = {ProtoField.uint8("myproto.firstbyte","1st byte",base.DEC,{ [0]="zero", [1]="one", [2]="two", })}

(09 Apr '15, 04:29) ankit

Thank you very much. I understand.

(09 Apr '15, 17:03) cosmos