This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark Lua TCP dissector

0

I have written several UDP dissectors and they all work fine. I am struggling in creating my 1st TCP dissector for a custom protocol. No matter how I register the protocol wireshark seems to either ignore or override my dissector and use a standard decoder on the packet. The custom protocol port number is 8501 and it is always decoded as cmtp-mgt.

Any suggestions on what I am doing wrong would be appreciated.

local new_proto_tcp = Proto("new_traffic","new TCP Protocol")       
local ft =  new_proto_tcp.fields
ft.source_ip = ProtoField.ipv4 ("new.src_ip",  "Source IP address")
ft.source_port = ProtoField.uint16 ("new.src_port",  "Source Port")
ft.destination_ip = ProtoField.ipv4 ("new.dst_ip",  "Destination IP address")
ft.destination_port = ProtoField.uint16 ("new.dst_port",  "Destination Port")
function new_proto_tcp.dissector(tvbuffer,pinfo,tree)
    local new_tr = tree:add(new_proto_tcp,tvbuffer(),"new Protocol Data")
    Packet_content = 0
    new_tr:add(ft.source_ip, tvbuffer(Packet_content+0, 4))
    new_tr:add(ft.destination_ip, tvbuffer(Packet_content+4, 4))    
end

do
tcp_table = DissectorTable.get("tcp.port")
tcp_table:add(8501,new_proto_tcp)
end

asked 19 Aug ‘15, 00:50

karlmj's gravatar image

karlmj
6113
accept rate: 0%

I can now see, the dissector is working on the TCP packets, The confusion has arisen due to the fact the initial set-up packets, syn and syn ack are being labelled as cmpt-mgt by wireshark. How can I make sure these packets are labelled correctly?

(19 Aug ‘15, 05:25) karlmj

One Answer:

0

For the SYN and SYN ACK there is no protocol involved, the description of the port comes from the "services" file that is either in the global or personal profile or maybe your OS.

answered 19 Aug '15, 06:22

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%