This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

LUA: Accessing protocol values on first scan with tshark -2

0

Hi,

I need some clarification regarding the availability of decoded protocol fields when using tshark -2. I have the following test LUA script:

  eth_type_f = Field.new("eth.type")
  luatest = Proto("luatest","luatest Postdissector")

function luatest.dissector(buffer,pinfo,tree)
if not pinfo.visited then
info("not pinfo.visited")

info("Frame is: " .. pinfo.number)


  local eth_type = eth_type_f()
  x_eth_type = eth_type.value
  info("x_eth_type: " .. x_eth_type)
end

if pinfo.visited then
  info("pinfo.visited")  
  info("Frame is: " .. pinfo.number)

  local eth_type = eth_type_f()
  x_eth_type = eth_type.value
  info("x_eth_type: " .. x_eth_type)
end



end


– register our protocol as a postdissector
register_postdissector(luatest)

I run the script with the following command:

tshark -2 -q -X lua_script:"c:\Program Files\Wireshark\plugins\luatest3.lua"  -T fields -E separator=, -E quote=d -e frame.number -e ip.addr -e _ws.col.Info -r tds_sql_batch_first_1.pcapng

This produces the following output:

  not pinfo.visited
Frame is: 1
pinfo.visited
Frame is: 1
x_eth_type: 2048
"1","10.100.20.223,10.100.20.220","1155â┼'1433 [ACK] Seq=3698378077 Ack=2551614322 Win=65535 Len=0"

It seems that the decoded protocol field eth.type is not available in the first scan (when pinfo.visited is false). Is this correct?

Thanks and regards…Paul

asked 27 Jul ‘15, 03:46

PaulOfford's gravatar image

PaulOfford
131283237
accept rate: 11%

One Answer:

0

Correct - both tshark and Wireshark invoke dissection at various times, and in order to improve on performance they don't dissect certain fields if they don't think they need to. So in tshark's case, with the two-pass analysis it doesn't think you need that field information until the second pass. I bet if you set a filter, like '-R "eth.type"', then you'd see it in both passes.

But anyway there is a work-around for this that should make it work: add the Lua boolean "true" as a second argument to "register_postdissector()", like this:

-- register our protocol as a postdissector
register_postdissector(luatest, true)

That should force tshark/wireshark to generate all fields all the time. It impacts performance, which is why it's not enabled by default.

answered 27 Jul '15, 05:24

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Hi Hadriel, Adding the Boolean doesn't work - I get the same result as I get without it. The filter works great - thanks for that.

Best regards...Paul

(27 Jul '15, 05:43) PaulOfford

Hmmm... yet another bug. If you submit another bug for it I'll fix that too.

(27 Jul '15, 06:15) Hadriel