This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Field manipulation in Lua/C

0

Is it possible to manipulate text of dissected fields inside a protocol?

i.e. To change field.display by setting/appending new text to it? Wireshark Lua API says "Mode: Retrieve only." and indeed it throws me an error when I try to assign new values to it.

Alternatively, is this possible in any other simple way (Lua or C)? By simple I mean not rewriting the dissector itself.

asked 06 Jun '16, 00:30

Aliniel's gravatar image

Aliniel
308915
accept rate: 100%

edited 06 Jun '16, 00:31

Would a new pseudo-field created by a post-dissector satisfy your needs, or do you insist that the name and value would change at the original place in the dissection tree?

(06 Jun '16, 01:37) sindy

I need it to be at the original location or right next to it as it gets confusing with longer packets.

Pseudo-field created by post dissector would be placed at the end of the packet in a new tree, right?

(06 Jun '16, 01:51) Aliniel

Right.

Some dissectors are written in a modular way allowing to use plugins, much in the way you specify dissectors for TCP or UDP payload using the dissector tables, except that you just override the default processing of a single field and let the original dissector handle all the other fields normally.

So if you are lucky and the dissector for Your Protocol is one of those, you can write a new dissector (Lua or C) only for that particular field of the protocol.

(06 Jun '16, 01:57) sindy

I'm working with MIPv6 which runs over IPv4. There's some mention of dissector tables in source code for MIPv6.

How would I override a dissector defined in dissector table for a given field in Lua?

(06 Jun '16, 02:56) Aliniel

A brief look at View->Internals->Dissector Tables isn't much optimistic as by default there is just a single integer value of Mobile IPv6 vendor-specific option, mip6.vsm (10415), pointing at the basic MIPv6 dissector. Just to be sure, can you post a capture file containing a single packet and comment what changes you'd like to do?

(06 Jun '16, 03:22) sindy

http://www.filedropper.com/sample_9

Under MIPv6 you can see a bunch of Mobility Options. Each one has its own value. Some of these values have different meaning for a specific vendor and I want to show these custom vendor's messages.

I'm also thinking of forcing a modified MIPv6 dissector via "Decode As..." which will handle these custom messages.

(06 Jun '16, 04:04) Aliniel

Decode As... is just another method of filling the dissector tables. In case of your sample packet, Decode As only offers you to (re)define which dissector will be used for IPv6 packets whose Next Header (ipv6.nxt field) has a certain value.

But the question for 100 points here is whether those vendor-specific options you are interested in are properly marked as "vendor-specific" (Mobility Option code 0x13) ones or not. If they are, the mip6.vsm table mentioned above will allow you to use your custom dissector only on these Mobility Options; if this is not the case and regular Mobility Option codes are misused for different purposes, you are out of luck.

In the latter case, you would have to extend the capabilities of the whole mipv6 dissector (and the right thing to do would be to contribute your enhancement to the trunk). Depending on how reliable criteria can be used to determine how to handle the Mobility Options with standard codes, the detection could be automatic or you would have to add a "mode switch" option allowing to modify the behaviour of the dissector manually (in protocol settings).

(06 Jun '16, 04:46) sindy

No, they are not properly marked. That's precisely the issue here. The vendor is using valid messages but some message values are swapped for whatever reason.

Thanks for your assistance. Seems like there's no easy way to solve this.

(06 Jun '16, 05:08) Aliniel
showing 5 of 8 show 3 more comments