This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm writing a custom Lua dissector for a protocol that can be sent over both TCP and UDP. According to the README.heuristic file, this can be done using the following code:

/ register as heuristic dissector for both TCP and UDP /

heur_dissector_add("tcp", dissect_PROTOABBREV_heur_tcp, "PROTOABBREV over TCP",
                   "PROTOABBREV_tcp", proto_PROTOABBREV, HEURISTIC_ENABLE);
heur_dissector_add("udp", dissect_PROTOABBREV_heur_udp, "PROTOABBREV over UDP",
                   "PROTOABBREV_udp", proto_PROTOABBREV, HEURISTIC_ENABLE);

I have successfully implemented this for our dissector written in C/C++. However, the Lua implementation of proto:register_heuristic(listname, func) only allows one heuristic function to be registered per protocol object even though I'm using two unique heuristic list names.

Calls to:

my_proto:register_heuristic("udp", my_heur_func)

my_proto:register_heuristic("tcp", my_heur_func)

Result in Wireshark displaying an error that my_proto already has a heuristic function registered. Inspecting the source, it appears the C code behind the Lua function checks against the proto name instead of the heuristic list name. Therefore, I can only register my heuristic function for a single heuristic list name.

Is this a Lua limitation or is there another way I can register my heuristic function with multiple heuristic list names? Short of another solution, it appears I may have to create two separate Lua dissectors. One for TCP and one for UDP.

asked 19 Jul '16, 08:20

emucker's gravatar image

emucker
11225
accept rate: 0%

Just a comment, not a answer: the workaround should be simpler in terms that you would create two functions (and, as each protocol can only have a single dissector function, also two protocol names), but one of the functions would be just a wrapper of the other one (i.e. it would call it with the same parameters it has received itself). But you may end up with two sets of display filter names (myproto_udp.xyz and myproto_tcp.xyz) if Lua is equally restrictive when registering the field names.

There is no limitation on how many protocols you register in a single .lua file.

(19 Jul '16, 08:49) sindy

An old question to be sure, but I believe the answer is:

my_proto:register_heuristic(my_proto, "udp", my_heur_func)
my_proto:register_heuristic(my_proto, "tcp", my_heur_func)
permanent link

answered 14 Feb, 07:37

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

edited 14 Feb, 07:38

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×431
×1

question asked: 19 Jul '16, 08:20

question was seen: 2,294 times

last updated: 14 Feb, 07:38

p​o​w​e​r​e​d by O​S​Q​A