This is a static archive of our old Q&A Site. Please post any new questions and answers at

Custom dissector for LLC Payload in Lua



I'd like to preface this by stating that this is my first time making a dissector in Lua (or really working in Wireshark for that matter) so if anything is unclear I'd be more than happy to clarify. My goal is to make a custom dissector for a protocol on top of SNAP LLC frames. Since the protocol info is currently dissected as "data," it seems that a chained dissector is appropriate. Using as a guide, I have created the following:

iiot = Proto("myproto", "My Protocol")

local f_type ="Type Value", "myproto.type", ftypes.UINT16, nil, base.HEX) local f_data = ProtoField.string("Data", "", FT_STRING)

iiot.fields = { f_type, f_data }

function iiot.dissector(buf, pkt, root)


 local pktlen_remaining = buf:reported_length_remaining()

 local tree = root:add(iiot, buf:range(0, pktlen_remaining))

 tree:add(f_type, buf:range(0, 2))

 local typeid = buf:range(0, 2)"(".. typeid ..")")

 pktlen_remaining = pktlen_remaining - 2

 tree:add(f_data, buf:range(2, pktlen_remaining))

 local data = buf:range(2, pktlen_remaining)"(".. data ..")")


local llc_dissector_table = DissectorTable.get("llc.dsap") dissector = llc_dissector_table:get_dissector(170) llc_dissector_table:add(170, iiot)

I suppose my question is two-fold. At present, my dissector loads and I can filter by “myiiot”. However, I am unable to dissect my packets using the “Decode As…” window. Since my packets are 0xaa SNAP, shouldn’t they automatically be dissected by my script? Is there a way to do this manually assuming the code is correct? Apologies if I am missing something obvious.

alt text

edit: Here is a CloudShark link for the capture

asked 10 Feb ‘17, 07:12

brownfox's gravatar image

accept rate: 0%

edited 21 Feb ‘17, 11:44

Can you share the capture that generated the screenshot in a publicly accessible spot, e.g. CloudShark, Google Drive, DropBox etc. so others can test the script?

(10 Feb ‘17, 07:37) grahamb ♦

did you find a solution? I am currently working on something similar

(05 Apr ‘17, 00:50) nikdubois