This is a static archive of our old Q&A Site. Please post any new questions and answers at

Filtering by fields generated in lua


I'm parsing some payloads in IEEE 802.15.4. The structure of the payloads is that the first byte indicates the data type. I would like to be able to filter by payload type. I seem to be able to create the filter for my dissector that is visible in the "Display Filter Expressions" dialog, but whenever I try to filter by the value it always filter out every one of my packets regardless of how I define my filter, such as type!=123 when I know that I have many times other than 123. Also simply entering type in the filter window filter out all my packets. I've tried a bunch of ways to try and set the type filed and no joy. Would appreciate any pointers. Here is the code:

-- MyProto protocol
-- declare our protocol
MyProto = Proto("MyProto","MyProto Protocol")
-- Create the protocol fields
local f_type = ProtoField.uint8("type", "Type", base.HEX, proxyClientMsgType_t, 0, "MyProto Packet Type" )
MyProto.fields = { f_type }

– create a function to dissect it function MyProto.dissector(buffer,pinfo,tree) pinfo.cols.protocol = –local subtree = tree:add(MyProto,buffer(),"MyProto Protocol Data")

local PacketType = buffer(0,1):uint()
MyProto.fields.type = 2

MyProto.fields.f_type = PacketType –does not seem to help with filter f_type = PacketType –does not seem to help with filter

local subtree = tree:add(MyProto.fields.f_type , buffer(), "MyProto - " .. proxyClientMsgType_t[PacketType]:sub(13)  .. " - " .. PacketType .. " - <<"  ..   buffer(0,pktlen-1) .. ">>") )
subtree:add("Packet Type: " .. PacketType .. " - ".. MsgType_t[PacketType] .. " - " ..  MsgTypeDetailed_t[PacketType], buffer (0,1) )


– load the wpan table wpan_table = DissectorTable.get("wpan.panid") – register our protocol to handle udp port 7777 wpan_table:add(104,MyProto ) wpan_table:add(127, MyProto )

As a bonus question, I seem to behaving difficulty getting the sub trees of my packet byte pane to highlight subsections of the payload bytes. How to I do that tied together?

asked 23 Feb ‘17, 17:48

MountainLogic's gravatar image

accept rate: 0%

edited 24 Feb ‘17, 11:48

One Answer:

wpan_table:add(127, cota)

What is cota? For starters, I don't think your dissector is being registered properly and thus it's probably not ever being called. Maybe start with a smaller, simpler dissector first and build from there, for example:

-- Protocol
local p_myproto = Proto("MyProto", "MyProto Protocol")

– Fields local f_myproto_type = ProtoField.uint8("myproto.type", "Type", base.HEX) p_myproto.fields = { f_myproto_type }

– Dissection function p_myproto.dissector(buffer, pinfo, tree) local myproto_tree = tree:add(p_myproto, buffer(0,-1))

myproto_tree:add(f_myproto_type, buffer(0, 1))


– Registration local wpan_table = DissectorTable.get("wpan.panid") wpan_table:add(104, p_myproto) wpan_table:add(127, p_myproto)

See if that gets you any further?

There are also many Lua examples available on the wiki that should help you. See my answer to this question for a list of some. I also provided a simple Lua example in a comment I made to this other question, along with a link to a capture file hosted at cloudshark, which may or may not be useful to you as well.

answered 24 Feb ‘17, 11:27

cmaynard's gravatar image

cmaynard ♦♦
accept rate: 20%

Christopher , great answer. Works like a charm and I it has really helped. Yes, I had tried to change variable name to something a bit more general and in the original it did get called just fine. I’ve edited my code in the the question so I believe you can delete everything up to “Maybe” in your answer. Thanks –scott

(24 Feb ‘17, 14:02) MountainLogic