This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filtering packets in LUA

0

I have read that in order to obtain information about packets in LUA you have to use taps, but there only a few supported types. I want to have filters for different protocols (ARP, goose, etc) and get their individual pinfo.number. I have tried using pinfo.curr_proto but it printed < Missing Protocol Name>

Do I have to write a dissector for unsupported protocols?

asked 11 May '16, 15:05

13utters's gravatar image

13utters
11336
accept rate: 0%

edited 19 Jul '16, 10:44

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

pinfo.curr_proto returns < Missing Protocol Name> for HTTP packets too

(11 May '16, 15:55) 13utters
One Answer:
active answersoldest answersnewest answerspopular answers
0

Have you looked at the Lua postdissectors?

In the "Trivial" example provided, if you try to use pinfo.curr_proto, you will get "Trivial", which isn't what you want I don't think, but you should be able to use frame.protocols to determine which protocols are present in the frame. If you add/replace these lines to the postdissector example given, you can see what I mean:

 7 frame_protocols_f = Field.new("frame.protocols")
13 protocols_F = ProtoField.string("trivial.protocols", "Protocols")
14 trivial_proto.fields = {src_F, dst_F, conv_F, protocols_F}
22     local protocols = frame_protocols_f()
30         subtree:add(protocols_F,tostring(protocols))

When I ran it, it displayed something like this:

Source: 192.168.1.1:12345
Destination: 192.168.1.2:45678
Conversation: 192.168.1.1:12345->192.168.1.2:45678
Protocols: eth:ethertype:ip:tcp

If you're only interested in the last protocol in the stack, tcp in this case, then you can write a function (or search for one) to trim all characters up to and including the ':' from the string.

permanent link

answered 19 Jul '16, 10:42

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×431
×78
×31
×16
×5

question asked: 11 May '16, 15:05

question was seen: 2,000 times

last updated: 19 Jul '16, 10:44

Related questions

lua script for wireshark

Automatically exporting csv info

Lua listener, dynamic fields

Is it possible to make a listener in C++?

Help with field extractor - bad argument #1 to 'new'

"A Field extractor must be defined before Taps or Dissectors get called" when I try to create an SSL Tap

Lua: Listener object can not be instantiated

Adding/appending packet comments in pcapng file with the Lua API

[Lua] Bad argument #1 to Field.new (a field with this name must exist)

listening twice ( lua) to the same log on tshark

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A