This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi Folks,

I am writing a dissector in Lua for a protocol which consists of arbitrary key/value pairs. I would like to generate the protocol fields on the fly by adding each unique key as it is encountered in the payload. For example, if a message contained "User=Joe;Region=Europe;SpecialVar=12345", then I would want to add User, Region and SpecialVar to the table of ProtoFields for the protocol.

Currently, I am trying to do this from within the dissector by getting the table of ProtoFields using protocolName.fields, inserting the new field, and then assigning the table back to protocolName.fields. However, when I run this code, Wireshark just hangs.

Should this be working? Or is modifying a Protocol from within its Dissector unsupported?

Note that I originally tried adding the new Protofield in place (i.e.: table.insert(protocolName.fields, newProtoField) ), but this simply did not work. So I am guessing that proto.fields returns a copy of the table as opposed to a reference (someone correct me if I am wrong).

Thanks in advance, Ryan

asked 11 Aug '16, 15:01

ryber's gravatar image

ryber
146459
accept rate: 16%

(12 Aug '16, 01:29) sindy

Thanks, Sindy. That question represents the same problem I am trying to solve. Your suggestions had occurred to me as a workaround, but I was hoping to be able to do it "properly".

(15 Aug '16, 05:29) ryber
1

There is no "proper" solution of this, given the overall architecture. The clear distinction between registration and execution phase has its purpose - all protocol fields can be used for display filter, so they must be known before the actual dissection takes place. Otherwise it e.g. wouldn't be possible to make a formal check of the display filter expression.

So in your case, if you know the complete set of possible field names, you can register all of them in advance and only practically use the ones which actually arrive in a frame, but if the names are totally unpredictable, only the "workaround" can be used.

(15 Aug '16, 05:37) sindy
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×431
×124
×12
×2

question asked: 11 Aug '16, 15:01

question was seen: 3,708 times

last updated: 15 Aug '16, 05:37

p​o​w​e​r​e​d by O​S​Q​A