LUA Dissector tree collapse

Question

Hi all,

I'm pretty new about the LUA Dissector. I have a problem with my code. Every time that I expand the treelist all subtrees are expanded automatically. How can I avoid this? Also, I'd like to ask you why the subtrees are displayed in grey color instead of white.

Below you will find my code. Thank you in advance for the help

Peter.

-- New Protocol and  fields
p_mynewproto  = Proto ("MyProtocol", "Test")
– Define Header fields
local protoHeader = p_mynewproto.fields
protoHeader.rxId        = ProtoField.uint16('protoHeader.rxId'      , 'Rx ID ' , base.HEX, nil)
protoHeader.txId        = ProtoField.uint16('protoHeader.txId'      , 'Tx ID ' , base.HEX, nil)
protoHeader.timeHour    = ProtoField.uint16('protoHeader.timeHour'  , 'Hour  ' , base.HEX, nil)
protoHeader.timeMinute  = ProtoField.uint16('protoHeader.timeMinute', 'Minute' , base.HEX, nil)
protoHeader.timeSecond  = ProtoField.uint16('protoHeader.timeSecond', 'Second' , base.HEX, nil)
– mynewproto dissector function
function p_mynewproto.dissector (buf, pkt, root)
– Check the packet length
if buf:len() == 0 then return end
pkt.cols.protocol = p_mynewproto.name
– start from offset 0
local offset = 0
– create subtree for mynewproto
subtreeA = root:add(p_mynewproto, buf(offset,buf:len())):append_text(" [My Protocol Header]")
– Rx ID
subtreeA:add(protoHeader.rxId , buf(offset,2))
– Tx ID
subtreeA:add(protoHeader.txId , buf(offset+2,2))
– Time
subtreeB = subtreeA:add(p_mynewproto, buf(offset+4,6),"[TIME]")
– Time Hour
subtreeB:add(protoHeader.timeHour , buf(offset+4,2))
– Time Minute
subtreeB:add(protoHeader.timeMinute , buf(offset+6,2))
– Time Second
subtreeB:add(protoHeader.timeSecond , buf(offset+8,2))
end
– Initialization function
function p_mynewproto.init()
end
– Register a chained dissector for port 11111
local udp_dissector_table = DissectorTable.get("udp.port")
dissector = udp_dissector_table:get_dissector(11111)
udp_dissector_table:add(11111, p_mynewproto)

Accepted Answer

In your example code above, the sub-tree you're adding is done with this:

subtreeB = subtreeA:add(p_mynewproto, buf(offset+4,6),"[TIME]")

That tells Wireshark to add a child item to subtreeA (which you created earlier), and the thing you're telling wireshark to add is p_mynewproto. But p_mynewproto represents a Protocol (a Proto object), and it's exactly the same protocol that you added when you created subtreeA earlier - so when you expand the tree in the GUI for subtreeA, Wireshark will automatically expand the tree for subtreeB, because they're the same protocol, and thus the same internal tree-type. Also that's why it's gray and not white - because it's a tree item for a Protocol rather than a ProtoField of a protocol. All protocol tree items are colored gray.

What you should be doing instead is creating another ProtoField for a "Time" field - this won't be a distinct field like the others, but rather just something to hold/contain/encapsulate the other time fields. For example by going this:

-- this is with your other ProtoField definitions:
protoHeader.time = ProtoField.bytes('protoHeader.time', 'Time')
-- this is inside your dissector:
subtreeB = subtreeA:add(protoHeader.time, buf(offset+4,6))
-- or this if you don't want to see the bytes shown:
subtreeB = subtreeA:add(protoHeader.time, buf(offset+4,6)):set_text('Time')