This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Equivalent of LUA Field extractors in C

0

Hi,

i am currently trying to write a post dissector in c that ive already written in LUA. In LUA fields can be extracted by using field extractor methods, e.g. i can read the "udp.port". Is there any equivalent to this in C?

asked 15 Jan '16, 00:26

Wodka's gravatar image

Wodka
6224
accept rate: 0%


One Answer:

0

You just use the normal dissector functions for accessing the tvb. Info is in doc\README.dissector.

Post-dissectors are much the same as a normal dissector, except they get called for every frame after all other dissectors have had a go as required.

answered 15 Jan '16, 04:22

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

I dont want to acess a range in the tvb but get information another dissector has already figured out, e.g. An UDP-Dissector would have created the meta-data field "udp.port". I need to acess this information field (which is in C resembled by header_field_info type i think).

(15 Jan '16, 04:50) Wodka

You get that via the packet_info structure passed to your dissectors pinfo parameter.

For the ports, use pinfo->srcport or pinfo->dstport.

(15 Jan '16, 04:58) grahamb ♦

i dont need the port. that was just an example. I just want to know - generally spoken, how to access a header field, e.g. called "xxx.yyy".

(15 Jan '16, 06:40) Wodka

I'm not sure that you can in C. A dissector is normally limited to the tvb, the packet_info and proto_tree and any data structure passed from the caller, although post-dissectors don't get the data structure.

I guess there must be some method for Lua to extract that info, digging into the code a little, it appears that Lua uses a tap and then processes the packet tree in the tap to extract fields. I'm not aware of any general API to do that that is available to C dissectors, but there might be one.

(15 Jan '16, 07:32) grahamb ♦