Hi, I've written a post-dissector to add some additional info into the tree for TCP packets. I'd like to do something like the It seems like this would require saving state and then updating an already dissected packet. Is this even possible with LUA, and if so could someone provide a few hints or point to similar code? thanks a bundle, chris asked 02 Feb '17, 02:07  gaddman edited 08 Feb '17, 13:42 |
2 Answers:
I faced the same issue when I wrote the TRANSUM LUA. Guy corrected me the other day regarding Wireshark scanning so my following description is a bit loose, and I'm doing this from memory. Your dissector will be called at least twice for each packet; once on an initial scan with pinfo.visited false and a second (and further times) with pinfo.visited true. You can generate the new values on the first scan and add the data to the protocol tree on the second (and later) scans. You might want to take a look at the TRANSUM LUA code which you can download from TribeLab.com. Best regards...Paul answered 04 Feb '17, 03:12  PaulOfford |
I doubt this can be done in a post dissector, let alone LUA. I think this has to be done in the TCP dissector itself. The concept however is possible. Other dissector do have the feature where 'requests' and 'responses' are matched both ways. There is a README on this (request response tracking) in the doc directory of the source tree to give you some insight in how this is achieved. answered 02 Feb '17, 02:39  Jaap ♦ Thanks for the pointer, I read the source docs and there's a good outline of how to write a dissector in C: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=doc/README.request_response_tracking;hb=HEAD (08 Feb '17, 13:36) gaddman |
Paul, that's even better than what I'd hoped for. I've had a look through your TRANSUM code and realised it was actually a small change to my code. Updated my dissector here: https://github.com/gaddman/wireshark-tcpextend