Are there “tcp.srcport” or “tcp.dstport” dissector tables?

Question

Is it possible to get DissectorTable according to "tcp.srcport" or "tcp.dstport" in Lua? Now,I have two package, one's tcp source port is 7709, another's tcp destination port is 7709. That is ,a request and a response. The fields of request package and response package are different. So I need to register two different dissector to process the two different packaget. At the time, I do it like this: local tcp_req_table = DissectorTable.get("tcp.port") tcp_req_table:add(7709,p_req)

local tcp_res_table = DissectorTable.get("tcp.port") tcp_res_table:add(7709,p_res)

But,finally, only the p_res works. So, How should I register the two different dissector? When I try "DissectorTable.get("tcp.srcport")", wireshark said that didn't exist. Thank you!

Answer 1

There do not exist "tcp.srcport" or "tcp.dstport" dissector tables, so you can't get them in any programming language, whether it's C or Lua or....

You do not need to register two different dissectors for this case. You merely need to have the one-and-only dissector for port 7709 determine whether the packet is a request or a response and dissect it appropriately?

Does this protocol truly have no field in the packet to indicate whether it's a request or a response? If it truly has no such field, then the best you can do is something such as checking whether the matching port value is the same as the source port or the destination port. In a C-language dissector, this would be done by comparing pinfo->match_uint with pinfo->srcport or pinfo->dstport; I think there is a Lua API to access match_uint, but it doesn't look as if there's one to access srcport or dstport, so you might have to compare match_uint against 7709.

Answer 2

To add a few notes for the Guy's answer, if you want to register multiple dissectors per port you have an option of saving previous dissector registered for that port and calling it in your dissector, thus creating dissector chain. The sample code can be found within wiki and looks smth like this:

do
        local wrapper_proto    = Proto("my_proto", "My Protocol")
        local MY_PORT          = 7709
    local f_tcp_srcport    = Field.new(&quot;tcp.srcport&quot;)
    local f_tcp_dstport    = Field.new(&quot;tcp.srcport&quot;)

    local original_dissector

    function wrapper_proto.dissector(tvbuffer, pinfo, treeitem)

        -- invoke original dissector
        pcall(
                function()
                    original_dissector:call(tvbuffer, pinfo, treeitem)
                end
            )

        -- now do your job
        if f_tcp_srcport() &amp;&amp; f_tcp_srcport().value == MY_PORT then
            -- handle response
        end
        if f_tcp_dstport() &amp;&amp; f_tcp_dstport().value == MY_PORT then
            -- handle request
        end

    end

    local tcp_dissector_table = DissectorTable.get(&quot;tcp.port&quot;)
    -- save the original dissector so we can still get to it
    original_dissector = tcp_dissector_table:get_dissector( MY_PORT ) 
    -- and take its place in the dissector table
    tcp_dissector_table:add( MY_PORT, wrapper_proto)

end

Answer 3

Yes, ShowmeaX is right. I test it as following:

1) data.dissector

2) report.dissector

3)

local data_dissector = data.dissector
local report_dissector = report.dissector
function wrapper.dissector(buffer, pinfo, tree)
if *** then
    data_dissector:call(buffer, pinfo, tree)
elseif *** then
    report_dissector:call(buffer, pinfo, tree)
end

4) add wrapper to dissectorTable