This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filtering packets in LUA

0

I have read that in order to obtain information about packets in LUA you have to use taps, but there only a few supported types. I want to have filters for different protocols (ARP, goose, etc) and get their individual pinfo.number. I have tried using pinfo.curr_proto but it printed < Missing Protocol Name>

Do I have to write a dissector for unsupported protocols?

asked 11 May '16, 15:05

13utters's gravatar image

13utters
11336
accept rate: 0%

edited 19 Jul '16, 10:44

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

pinfo.curr_proto returns < Missing Protocol Name> for HTTP packets too

(11 May '16, 15:55) 13utters

One Answer:

0

Have you looked at the Lua postdissectors?

In the "Trivial" example provided, if you try to use pinfo.curr_proto, you will get "Trivial", which isn't what you want I don't think, but you should be able to use frame.protocols to determine which protocols are present in the frame. If you add/replace these lines to the postdissector example given, you can see what I mean:

 7 frame_protocols_f = Field.new("frame.protocols")
13 protocols_F = ProtoField.string("trivial.protocols", "Protocols")
14 trivial_proto.fields = {src_F, dst_F, conv_F, protocols_F}
22     local protocols = frame_protocols_f()
30         subtree:add(protocols_F,tostring(protocols))

When I ran it, it displayed something like this:

Source: 192.168.1.1:12345
Destination: 192.168.1.2:45678
Conversation: 192.168.1.1:12345->192.168.1.2:45678
Protocols: eth:ethertype:ip:tcp

If you're only interested in the last protocol in the stack, tcp in this case, then you can write a function (or search for one) to trim all characters up to and including the ':' from the string.

answered 19 Jul '16, 10:42

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%