This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi.

Since several days, I've tried (unsuccessfully) to create my own dissector written with the Lua langage in order to decode throw Wireshark the frames created with a custom raw sockets protocol.

My frames have a classic Ethernet structure:

  • MAC destination address
  • MAC source address
  • MAC length payload (ethertype)
  • Payload
  • Eventual padding

Without custom dissector, Wireshark uses LLC protocol to decode the frames.

Therefore, to have a specific decoding, I've tried to write a Lua dissector. I precise that I'm beginner with Lua langage working.

Anyway. After several tests, I can more or less decode my frame by registering my dissector as follows: local wtap_encap_table = DissectorTable.get("wtap_encap") wtap_encap_table:add(1, MyProto)

However, Wireshark use my dissector to decode all the frames which pass over my Ethernet link and leaves Source column and Destination column empty.

So, I'd like to know how to make Wireshark decode only my frames with my custom dissector.

To complete my question, follows my Lua script:

-- MyProto Dissector
local MyProto = Proto("MyProto", "MyProto")

-- MyProto Dissector fields
--local f = MyProto.fields

--f.MAC_addr_dest = ProtoField.STRING("MyProto.MAC_addr_dest", "MAC_addr_dest", base.NONE, MAC_addr_dest)
--f.MAC_addr_src = ProtoField.STRING("MyProto.MAC_addr_src", "MAC_addr_src", base.NONE, MAC_addr_src)

function MyProto.dissector(buffer, pinfo, tree)
    if buffer:len() < 18 then
        return
    end

    -- Parameters function
    local MAC_addr_dst0 = buffer(0, 1):uint()
    local MAC_addr_dst1 = buffer(1, 1):uint()
    local MAC_addr_dst2 = buffer(2, 1):uint()
    local MAC_addr_dst3 = buffer(3, 1):uint()
    local MAC_addr_dst4 = buffer(4, 1):uint()
    local MAC_addr_dst5 = buffer(5, 1):uint()
    local MAC_addr_src0 = buffer(6, 1):uint()
    local MAC_addr_src1 = buffer(7, 1):uint()
    local MAC_addr_src2 = buffer(8, 1):uint()
    local MAC_addr_src3 = buffer(9, 1):uint()
    local MAC_addr_src4 = buffer(10, 1):uint()
    local MAC_addr_src5 = buffer(11, 1):uint()
    local MAC_length = buffer(12, 2):uint()
    local Msg_LA = buffer(14, 2):uint()
    local Msg_length = buffer(16, 2):uint()

    -- Test for a specific message to see how it works !! 
    if (Msg_LA == 0x0000 and  Msg_length == 0x08) then
        -- Update "Protocol" and "Info" columns
        pinfo.cols.protocol = 'MyProto'
        pinfo.cols.info = "MSG : MON_HELLO_CNN" .. ", " .. string.format('LA: %0.4x', Msg_LA) .. ", " .. string.format('Length: %0.2x', Msg_length)

        -- Add tree and sub-tree data for expanding the packet info
        local tree1 = tree:add(MyProto, buffer(), 'MyProto Protocol Data')
        tree1:add(buffer(0, 6), string.format('Destination MAC Addr: %0.2x:%0.2x:%0.2x:%0.2x:%0.2x:%0.2x', MAC_addr_dst0, MAC_addr_dst1, MAC_addr_dst2, MAC_addr_dst3, MAC_addr_dst4, MAC_addr_dst5))
        tree1:add(buffer(6, 6), string.format('Source MAC Addr: %0.2x:%0.2x:%0.2x:%0.2x:%0.2x:%0.2x', MAC_addr_src0, MAC_addr_src1, MAC_addr_src2, MAC_addr_src3, MAC_addr_src4, MAC_addr_src5))
        tree1:add(buffer(12, 2), string.format('MAC Length: 0x%0.4x', MAC_length))
        tree1:add(buffer(14, 2), string.format('MSG LA: %0.4x', Msg_LA))
        tree1:add(buffer(16, 2), string.format('MSG Length: 0x%0.4x', Msg_length))
    end
end

local wtap_encap_table = DissectorTable.get("wtap_encap")
wtap_encap_table:add(1, MyProto)

asked 21 Apr '15, 07:35

Saj_B's gravatar image

Saj_B
6112
accept rate: 0%

Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×431
×6

question asked: 21 Apr '15, 07:35

question was seen: 3,241 times

last updated: 21 Apr '15, 07:35

p​o​w​e​r​e​d by O​S​Q​A