This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

A weird problem about LUA dissector: treeitem fails in IF condition

0

this is a simple post dissector code... just add a new protofield with the string “blahblahblah” in the dissect tree.

The weird thing is if the line “b2=10” is removed, the script works; if it exists, the scripts doesn’t work.

b1=0
b2=0

myproto = Proto("myproto","test")

test_tag = ProtoField.string("TestTag", "testtag")

myproto.fields = {test_tag}

function myproto.dissector(tvb,pinfo,tree) local subtree = tree:add(myproto,"My Test Protocol")

if b1==b2 then
    subtree:add(test_tag, "blahblahblah")
    b2=10
end

end

register_postdissector(myproto,false)

I have met this issue on stable version 2.0.1 and development versioni 2.1.0

asked 18 Feb ‘16, 22:45

kylegzy's gravatar image

kylegzy
6112
accept rate: 0%


One Answer:

0

This is expected behavior since Wireshark processes packets more than once. You can see the difference in behavior if you run tshark though, because tshark only processes packets once unless you explicitly tell it to perform a 2-pass analysis.

Compare:

tshark -r myproto.pcap -O myproto

with:

tshark -r myproto.pcap -2O myproto

In the first case, the first packet in myproto.pcap will display "testtag: blahblahblah", but since b2 is then set to 10, subsequent packets won't match the value of b1, b1 being 0, so the testtag isn't displayed for any other packets.

In the second case, all packets including the first packet will be processed more than once, so none of the packets will display the testtag.

answered 22 Jul '16, 08:31

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%