This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

lua dissector \ running for TCP AND UDP

0

Hello,

i am currently writing a dissector with lua which use data from UDP AND TCP. So i register the dissector like this

udp_table = DissectorTable.get("udp.port")
udp_table:add(1024, SEL)
tcp_table = DissectorTable.get("tcp.port")
tcp_table:add(1024, SEL)

but in the function SEL.dissector(_tvbuf, _pktinfo, _root), i need to know if this if data is coming from UDP or TCP.

Is there a way to detect UDP ou TCP data ?

Thank

asked 26 Apr '17, 12:28

SebastienRolle's gravatar image

SebastienRolle
6224
accept rate: 0%

edited 26 Apr '17, 17:07

One Answer:

0

Yes, there is. Create the SEL_udp and SEL_tcp functions to register with the respective protocols and have them call SEL with an extra flag indicating the protocol it came from. This is how it's done in other dissectors as well.

answered 26 Apr '17, 23:48

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thank a lot. Can you point me to an existing dissector in order for me to understand.

Thank, Sebastien

(27 Apr '17, 05:36) SebastienRolle

i have done this but unfortunately, it doesn't work. Can you give me a little more details about the proposed solution.

local SEL = Proto("sel", "sel");

function aa(_tvbuf, _pktinfo, _root)
end
function bb(_tvbuf, _pktinfo, _root)
end
function SEL.dissector(_tvbuf, _pktinfo, _root)
end


DissectorTable.get("udp.port"):add_for_decode_as(aa)
DissectorTable.get("tcp.port"):add_for_decode_as(bb)
(27 Apr ‘17, 10:59) SebastienRolle

I don’t do LUA myself, but recon it would be something like this:

local SEL_udp = Proto("sel_udp", "sel_udp")
udp_table = DissectorTable.get("udp.port")
udp_table:add(1024, SEL_udp)
local SEL_tcp = Proto("sel_tcp", "sel_tcp")
tcp_table = DissectorTable.get("tcp.port")
tcp_table:add(1024, SEL_tcp)


function SEL_udp(_tvb, _pktinfo, _root)
SEL(_tvbuf, _pktinfo, _root, FALSE)
end
function SEL_tcp(_tvb, _pktinfo, _root)
SEL(_tvbuf, _pktinfo, _root, TRUE)
end
function SEL(_tvb, _pktinfo, _root, is_tcp)
…
end

If you don’t want to have the separate dissector registrations (one for UDP, one for TCP) you might also be able to look at pktinfo. In that structure you should have a ptype field, which indicates the (transport) protocol as well.

(28 Apr ‘17, 01:39) Jaap ♦