This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Register heuristic function for multiple heuristic list names in Lua

0

I'm writing a custom Lua dissector for a protocol that can be sent over both TCP and UDP. According to the README.heuristic file, this can be done using the following code:

/ register as heuristic dissector for both TCP and UDP /

heur_dissector_add("tcp", dissect_PROTOABBREV_heur_tcp, "PROTOABBREV over TCP",
                   "PROTOABBREV_tcp", proto_PROTOABBREV, HEURISTIC_ENABLE);
heur_dissector_add("udp", dissect_PROTOABBREV_heur_udp, "PROTOABBREV over UDP",
                   "PROTOABBREV_udp", proto_PROTOABBREV, HEURISTIC_ENABLE);

I have successfully implemented this for our dissector written in C/C++. However, the Lua implementation of proto:register_heuristic(listname, func) only allows one heuristic function to be registered per protocol object even though I'm using two unique heuristic list names.

Calls to:

my_proto:register_heuristic("udp", my_heur_func)

my_proto:register_heuristic("tcp", my_heur_func)

Result in Wireshark displaying an error that my_proto already has a heuristic function registered. Inspecting the source, it appears the C code behind the Lua function checks against the proto name instead of the heuristic list name. Therefore, I can only register my heuristic function for a single heuristic list name.

Is this a Lua limitation or is there another way I can register my heuristic function with multiple heuristic list names? Short of another solution, it appears I may have to create two separate Lua dissectors. One for TCP and one for UDP.

asked 19 Jul '16, 08:20

emucker's gravatar image

emucker
11225
accept rate: 0%

Just a comment, not a answer: the workaround should be simpler in terms that you would create two functions (and, as each protocol can only have a single dissector function, also two protocol names), but one of the functions would be just a wrapper of the other one (i.e. it would call it with the same parameters it has received itself). But you may end up with two sets of display filter names (myproto_udp.xyz and myproto_tcp.xyz) if Lua is equally restrictive when registering the field names.

There is no limitation on how many protocols you register in a single .lua file.

(19 Jul '16, 08:49) sindy

One Answer:

0

An old question to be sure, but I believe the answer is:

my_proto:register_heuristic(my_proto, "udp", my_heur_func)
my_proto:register_heuristic(my_proto, "tcp", my_heur_func)

answered 14 Feb '20, 07:37

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

edited 14 Feb '20, 07:38