This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Lua Post Dissector from 1.4 breaks in 1.6

0

I've been building a post dissector in Lua for the last month, and have used pinfo.columns.protocol:set("G2S") to assign packets the G2S name in the Protocol column that I've identified as my application protocol. In V1.4.x, this worked just fine. But now with 1.6, my first identified packet displays G2S in the protocol column, but all subsequent packets continue to show HTTP/XML. When I look at these HTTP/XML packets, they are green highlighted, meaning WireShark has identified them as part of my protocol, and I find my G2S Protocol Post Dissector tree in the middle pane. So my protocol is being properly identified, and my Post Dissector is executing. But my setting of pinfo.columns.protocol is being ignored.

Has anyone else also seen this behavior? If others are seeing that it worked in 1.4.x and no longer does in 1.6, then I'll file this as a bug.

Thanks

asked 10 Jun '11, 14:12

NewbieBrian's gravatar image

NewbieBrian
1224
accept rate: 0%

retagged 10 Jun '11, 18:11

helloworld's gravatar image

helloworld
3.1k42041


2 Answers:

0

Just thought I'd point out that you can shorten

pinfo.columns.protocol:set("G2S")

to:

pinfo.cols.protocol = "G2S"



I just confirmed this behavior in 1.7.0 (Ubuntu 11.04, 64-bit), but it seems inconsistent in that it happens only when setting the column text inside an if block, as shown below. I agree you should file a bug.

Based on the sample code from the Wireshark wiki:

-- trivial postdissector example
-- declare some Fields to be read
ip_src_f = Field.new("ip.src")
ip_dst_f = Field.new("ip.dst")
tcp_src_f = Field.new("tcp.srcport")
tcp_dst_f = Field.new("tcp.dstport")

– declare our (pseudo) protocol trivial_proto = Proto("trivial","Trivial Postdissector")

– create the fields for our "protocol" src_F = ProtoField.string("trivial.src","Source") dst_F = ProtoField.string("trivial.dst","Destination") conv_F = ProtoField.string("trivial.conv","Conversation","A Conversation")

– add the field to the protocol trivial_proto.fields = {src_F, dst_F, conv_F}

– create a function to "postdissect" each frame function trivial_proto.dissector(buffer,pinfo,tree) – obtain the current values the protocol fields local tcp_src = tcp_src_f() local tcp_dst = tcp_dst_f() local ip_src = ip_src_f() local ip_dst = ip_dst_f()

--###############################################################
--# XXX: If we set the column here, the text always shows up
--# properly in the Protocol column.
--###############################################################
--pinfo.cols.protocol = "Trivial"
pinfo.cols.protocol:set("Trivial")

if tcp_src then

   --###############################################################
   --# FIXME: But if we set the column here, the Protocol column
   --# is almost always not set to "Trivial" (or it's overwritten).
   --# The packets that do have "Trivial" in its Protocol column
   --# won't necessarily show it again when the pcap is reloaded.
   --###############################################################
   --pinfo.cols.protocol = "Trivial"
   pinfo.cols.protocol:set("Trivial")

   local subtree = tree:add(trivial_proto,"Trivial Protocol Data")
   local src = tostring(ip_src) .. ":" tostring(tcp_src)
   local dst = tostring(ip_dst) .. ":" tostring(tcp_dst)
   local conv = src  .. "->" .. dst
   subtree:add(src_F,src)
   subtree:add(dst_F,dst)
   subtree:add(conv_F,conv)
end

end – register our protocol as a postdissector register_postdissector(trivial_proto)

answered 10 Jun ‘11, 18:08

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

0

This is discussed in bug 6020, and there's a patch attached to that bug to fix it as well.

answered 19 Feb '13, 11:21

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%