This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filtering by fields generated in lua

0

I'm parsing some payloads in IEEE 802.15.4. The structure of the payloads is that the first byte indicates the data type. I would like to be able to filter by payload type. I seem to be able to create the filter for my dissector that is visible in the "Display Filter Expressions" dialog, but whenever I try to filter by the value it always filter out every one of my packets regardless of how I define my filter, such as type!=123 when I know that I have many times other than 123. Also simply entering type in the filter window filter out all my packets. I've tried a bunch of ways to try and set the type filed and no joy. Would appreciate any pointers. Here is the code:

-- MyProto protocol
-- declare our protocol
MyProto = Proto("MyProto","MyProto Protocol")
-- Create the protocol fields
local f_type = ProtoField.uint8("type", "Type", base.HEX, proxyClientMsgType_t, 0, "MyProto Packet Type" )
MyProto.fields = { f_type }

– create a function to dissect it
function MyProto.dissector(buffer,pinfo,tree)
pinfo.cols.protocol = MyProto.name
–local subtree = tree:add(MyProto,buffer(),"MyProto Protocol Data")


local PacketType = buffer(0,1):uint()
MyProto.fields.type = 2



MyProto.fields.f_type = PacketType      –does not seem to help with filter
f_type = PacketType                     –does not seem to help with filter


--MyProtoType
local subtree = tree:add(MyProto.fields.f_type , buffer(), "MyProto - " .. proxyClientMsgType_t[PacketType]:sub(13)  .. " - " .. PacketType .. " - <<"  ..   buffer(0,pktlen-1) .. ">>") )
subtree:add("Packet Type: " .. PacketType .. " - ".. MsgType_t[PacketType] .. " - " ..  MsgTypeDetailed_t[PacketType], buffer (0,1) )



end


– load the wpan table
wpan_table = DissectorTable.get("wpan.panid")
– register our protocol to handle udp port 7777
wpan_table:add(104,MyProto )
wpan_table:add(127, MyProto )

As a bonus question, I seem to behaving difficulty getting the sub trees of my packet byte pane to highlight subsections of the payload bytes. How to I do that tied together?

asked 23 Feb ‘17, 17:48

MountainLogic's gravatar image

MountainLogic
11226
accept rate: 0%

edited 24 Feb ‘17, 11:48

One Answer:

1
wpan_table:add(104,cota)
wpan_table:add(127, cota)

What is cota? For starters, I don't think your dissector is being registered properly and thus it's probably not ever being called. Maybe start with a smaller, simpler dissector first and build from there, for example:

-- Protocol
local p_myproto = Proto("MyProto", "MyProto Protocol")

– Fields
local f_myproto_type = ProtoField.uint8("myproto.type", "Type", base.HEX)
p_myproto.fields = { f_myproto_type }


– Dissection
function p_myproto.dissector(buffer, pinfo, tree)
local myproto_tree = tree:add(p_myproto, buffer(0,-1))


pinfo.cols.protocol:set("MYProto")
myproto_tree:add(f_myproto_type, buffer(0, 1))



end


– Registration
local wpan_table = DissectorTable.get("wpan.panid")
wpan_table:add(104, p_myproto)
wpan_table:add(127, p_myproto)

See if that gets you any further?

There are also many Lua examples available on the wiki that should help you. See my answer to this question for a list of some. I also provided a simple Lua example in a comment I made to this other question, along with a link to a capture file hosted at cloudshark, which may or may not be useful to you as well.

answered 24 Feb ‘17, 11:27

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Christopher , great answer. Works like a charm and I it has really helped. Yes, I had tried to change variable name to something a bit more general and in the original it did get called just fine. I’ve edited my code in the the question so I believe you can delete everything up to “Maybe” in your answer. Thanks –scott

(24 Feb ‘17, 14:02) MountainLogic