Dissect requests and replies

Question

Hello,

I am writing a dissection script for wireshark and I should point the replies/ack for specific packets. As a first implementation I create an array and write down the request ID and when a reply arrives checks if it's ID is part of this table. I would like to print an arrow (just like ping request reply) to point out the request and reply.

alt text

Answer 1

In Lua you can add two ProtoField's (one for request and one for response) for this and use frametype.REQUEST / frametype.RESPONSE as valuestring. You will get the arrows when using this fields.

Have a look in the ProtoField documentation.

Answer 2

I think you have to make sure to register the fields appropriately

From the ICMP dissector:

             {&hf_icmp_resp_in,
             {"Response frame", "icmp.resp_in", FT_FRAMENUM, BASE_NONE,
              FRAMENUM_TYPE(FT_FRAMENUM_RESPONSE), 0x0,
              "The frame number of the corresponding response",
              HFILL}},
        {&amp;hf_icmp_resp_to,
         {&quot;Request frame&quot;, &quot;icmp.resp_to&quot;, FT_FRAMENUM, BASE_NONE,
          FRAMENUM_TYPE(FT_FRAMENUM_REQUEST), 0x0,
          &quot;The frame number of the corresponding request&quot;, HFILL}},</code></pre><p>I don't know if this can be done from LUA already.</p></div><div class="answer-controls post-controls"></div><div class="post-update-info-container"><div class="post-update-info post-update-info-user"><p>answered <strong>29 Jun '17, 03:53</strong></p><img src="https://secure.gravatar.com/avatar/2337f0406681e5c72ea0e6f1f0d6c0b0?s=32&amp;d=identicon&amp;r=g" class="gravatar" width="32" height="32" alt="Jaap&#39;s gravatar image" /><p><span>Jaap ♦</span><br />

11.7k●16●101

accept rate: 14%