I have a custom protocol which combines to make a higher level protocol. It is analogous to HTTP over TCP but it is NOT either of those. I have implemented a custom dissector for the lower level custom protocol. I used one of the DLT_USER linktypes to register the protocol in my lua plugin. I managed to successfully dissect all of the fields required in this "subprotocol". Now, I would like to "reassemble" or combine packets of this subprotocol to display the higher level protocol. I am struggling to figure out how to do this. I have found some documentation relating to TCP reassembly, but I am not sure reassembly will work with my custom protocol since it is not TCP and it has its own custom linktype. I am wondering if a tap is the right solution for me? asked 30 Jan '17, 08:31  GTOET_half_full |
One Answer:
I would recommend visiting the Wireshark Lua/Examples wiki page and reviewing some of the example Lua files provided there. In particular, fpm.lua, which performs reassembly of packets. It's TCP-based, but hopefully it provides a nice starting point for you. I'm not sure, but I don't think the technique employed is limited to only TCP-based protocols. answered 30 Jan '17, 08:50  cmaynard ♦♦ Thank you for your response. I have delved into that file already and it is hard to tell whether or not the techniques in it can work with non-TCP based protocols. I have tried playing with the pinfo.desegment_len but to no avail so far... (30 Jan '17, 09:15) GTOET_half_full |
Can anybody confirm the validity of this answer on stackoverflow?
http://stackoverflow.com/questions/38630416/wireshark-lua-dissector-reassembly-dissector-not-called-with-previous-tvbs-da