I am trying to access the value of the "tcp.analysis.flags" field in a Lua script. I would like to apply a certain operation on all packets that have ANY of the TCP analysis flags set. However, it seems that tcp.analysis.flags is a label, and it has no real value that can be manipulated in the Lua script. Here is my code:
I expect to get a boolean value or something, but instead I get an error. A print(tcp_analysis_flags_f.type) returns "0", which corresponds to ftype: "NONE". The Wireshark GUI somehow triggers on these packets (for color filters). How can I use this field in a Lua dissector? asked 01 Aug '16, 12:11  J_Turner showing 5 of 7 show 2 more comments |
2 Answers:
Similarly to a few "real" fields in various protocols, Regardless whether a field has a value or not, the extractor function registered using In addition to that, So the solution of your need to perform (or not) a certain operation if any of the TCP analysis flags exists in the frame is to register an extractor function for this summary field, answered 02 Aug '16, 11:07  sindy |
This answer came out of the comments from @sindy. I am putting it here so it gets marked as answered. The key was to check if the field existed. If it didn't exist (i.e. the frame didn't fit the "tcp.analysis.flags" filter), it will fail an 'if' condition. Here is the code: This allows the Lua dissector to make decisions based on this filter/field. answered 02 Aug ‘16, 07:18 J_Turner Since @sindy provided the answer you were looking for, it would have been better if you had asked @sindy to change his comments to an answer so that you could have accepted it. What you’ve effectively done is claimed the answer for yourself, earning yourself undeserved reputation points. This is not good form. (02 Aug ‘16, 08:40) cmaynard ♦♦ Oops. My bad. @sindy, if you elevate your comments to an answer I will mark it is accepted and delete my answer. (02 Aug ‘16, 08:43) J_Turner @cmaynard, look at it from the positive side - for some people it is too complex to just click the Accept icon to highlight the Question as usefully answered for others, whereas @J_Turner took the effort to put together a concise Answer from my hints. So to satisfy house rules, I’m going to write my own summary as an Answer as I originally intended to after getting @J_Turner’s confirmation that my suggestion worked, but I definitely don’t feel robbed :-) And as for undeserved reputation, it even seems that accepting your own Answer actually doesn’t earn you any karma points. (02 Aug ‘16, 09:31) sindy |
I'd say there is a step missing. Answering your previous question, @cmaynard has pointed you to these two lines of Lua code:
As the syntax at line 18 shows, the object defined at line 5 is a function.
So try to change your code to
and see what happens.
Also, be aware that the first line must be part of registration of the dissector (i.e. of the main Lua code), while the second must be part of its execution (i.e. of the dissection function).
I didn’t specify it well in my question, but that is actually what I did. I have the function defined in the “registration section” and the print statement in the dissector. If I use print(tcp_analysis_flags_f().type), I get a value back: “0”. But if I do a print(tcp_analysis_flags_f().value), I get a nil value back.
I believe that
tcp.analysis.flagsis a field, not a label, but it has no value (neither scalar nor structured). So actually, the very existence of the field in a given frame is the condition you look for: if any tcp analysis flag (like e.g.tcp.analysis.retransmission) exists, the fieldtcp.analysis.flagsexists as well.So how do I practically use it? Is there a way to check if the field exists for a certain frame?
Never needed that myself (but I have written less than 10 Lua dissectors so far), but I would guess that if your
tcp_analysis_flags_f()returns anything else than nil, the field exists, otherwise it doesn’t.So you may try simply
That worked. Thank you!