Calling a chained dissector on a well-known port

Question

I am currently trying to write a Lua chained dissector that would take place on a well-known port. I first wrote it as a post-dissector, and everything was working, but for some reason, the dissector function is never called for a chained dissector.

For test purposes, the code is as simple as this :

-- declare our protocol
httpProto        = Proto("http","http")
print("out of  the dissector")
–======================– create a functions to dissect it –======================–
function httpProto.dissector( buffer, pinfo, tree )
print("In the dissector")
end
– load the tcp.port table
tcp_table = DissectorTable.get( "tcp.port" )
– register our protocol to handle the chosen port
tcp_table:add( 80, httpProto )

I ran it using tshark with a sample HTTP capture from the Wireshark site (http.cap), but the message “In the dissector” is never displayed:

C:\Program Files (x86)\Wireshark>tshark.exe -r http.cap

out of  the dissector

1   0.000000 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [SYN] Seq=0 Win=8760 Len=0 MSS=1460 SACK_PERM=1 80 0

2   0.911310 65.208.228.223 -> 145.254.160.237 TCP http > tip2 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380 SACK_PERM=1 3372 0

3   0.911310 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [ACK] Seq=1 Ack=1 Win=9660 Len=0 80 0

4   0.911310 145.254.160.237 -> 65.208.228.223 HTTP GET /download.html HTTP/1.1  80 0

5   1.472116 65.208.228.223 -> 145.254.160.237 TCP http > tip2 [ACK] Seq=1 Ack=480 Win=6432 Len=0 3372 0

6   1.682419 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0

7   1.812606 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [ACK] Seq=480 Ack=1381 Win=9660 Len=0 80 0

8   1.812606 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0

9   2.012894 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [ACK] Seq=480 Ack=2761 Win=9660 Len=0 80 0

10   2.443513 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0

11   2.553672 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0

12   2.553672 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [ACK] Seq=480 Ack=5521 Win=9660 Len=0 80 0

13   2.553672 145.254.160.237 -> 145.253.2.203 DNS Standard query A pagead2.googlesyndication.com 53

14   2.633787 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0

15   2.814046 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [ACK] Seq=480 Ack=6901 Win=9660 Len=0 80 0

16   2.894161 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0

17   2.914190 145.253.2.203 -> 145.254.160.237 DNS Standard query response CNAME pagead2.google.com CNAME pagead.google.akadns.net A 216.239.59.104 A
216.239.59.99 3009

18   2.984291 145.254.160.237 -> 216.239.59.99 HTTP GET /pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_
as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666
633 HTTP/1.1  80 2

[…]

However, if I change the code in order to bind it to an “empty” port (as follows):

[…]
– load the tcp.port table

tcp_table = DissectorTable.get( "tcp.port" )

– register our protocol to handle the chosen port

tcp_table:add( 1756, httpProto )

…and then I feed tshark with a trace that contains a packet from this port, I can see my “In the dissector”:

C:\Program Files (x86)\Wireshark>tshark.exe -r test1756Packets.pcap

__out of  the dissector__

__In the dissector__

1   0.000000   10.1.0.122 -> 10.2.17.199  TCP 63545 > capfast-lmd [PSH, ACK] Seq=1 Ack=1 Win=64164 Len=20 1756 0

__In the dissector__

2   0.006478  10.2.17.199 -> 10.1.0.122   TCP capfast-lmd > 63545 [PSH, ACK] Seq=1 Ack=21 Win=1664 Len=64 63545 0

I am running Wireshark 1.6.4 (32- and 64-bit, I tried both) on Windows 7 (64-bit). Can you help me find what am I doing wrong?

Answer 1

The problem is that you're trying to declare a dissector with an existing name; there's already a dissector named "http". You should see the error when you try to load the script:

$ tshark -Xlua_script:test.lua -i en0 -R "http"
tshark: Lua: Error during loading:
 [string "test.lua"]:2: bad argument #1 to 'Proto' (Proto_new: there cannot be two protocols with the same name)

Also, as is, the code shown in your question isn't actually a chained dissector because it doesn't call the original dissector. I'm guessing that was just a copy-and-paste mistake.

With the appropriate changes (bold) in test.lua:

-- declare our protocol
httpProto        = Proto("httpwrap", "HTTP wrapper")
print("out of  the dissector")
–======================– create a functions to dissect it –======================–
function httpProto.dissector( buffer, pinfo, tree )
print("In the dissector")
orig_http_dis:call( buffer, pinfo, tree )
end
– load the tcp.port table
tcp_table = DissectorTable.get( "tcp.port" )
orig_http_dis = tcp_table:get_dissector( 80 )
– register our protocol to handle the chosen port
tcp_table:add( 80, httpProto )

…you should see the expected output from your chained dissector:

$ tshark -Xlua_script:test.lua -R "http" -r http.cap
out of  the dissector
In the dissector
0.911310 145.254.160.237 -> 65.208.228.223 HTTP 533 GET /download.html HTTP/1.1
In the dissector
1.682419 65.208.228.223 -> 145.254.160.237 HTTP/XML 1434 HTTP/1.1 200 OK
In the dissector
[…]