This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can’t get Lua dissector to add to tree with Protofields

2
1

I've a simple Lua dissector, which uses what I think is the 'old' format for adding to the tree.

subtree:add(buffer(3,1),"The 4th byte: " .. buffer(3,1):uint())

I've tried using protofields instead, but nothing gets added to the tree.

foo_proto.fields.u16 = ProtoField.uint16("foo.u16", "Unsigned short", base.HEX)
local t = tree:add(foo_proto,buf())
t:add(foo_proto.fields.u16, buf(0,2))

Does anyone have any pointers to how to do this, or a working simple dummy TCP dissector?

This is Wireshark 1.6.5 on Windows, BTW.

asked 20 Feb '12, 16:04

roddyp's gravatar image

roddyp
31123
accept rate: 0%

I'd also like to know how to use the new "ProtoField" based TreeItem:add(), instead of having to manually construct labels etc. When I do it that way, my subtree shows up empty in the Wireshark GUI. Seems to be working OK in tshark though..

Code example:

local f = CCMP.fields
f.start = ProtoField.uint8 ("ccmp.start", "Start", base.HEX)
subtree:add(f.start, buf(0, 1))

I'm also on Windows, and have tried 1.6.6 stable and 1.7.1 development.

(06 May '12, 20:48) rfi

I've updated my answer to include a ProtoFields example.

(06 May '12, 21:42) helloworld

Thank you helloworld.

For anyone else that can't get this working, my problem was that I tested my script by evaluating it using Tools > Evaluate in the GUI. When I ran it from the command line using

wireshark -X lua_script:\proto.lua

it worked fine.

(06 May '12, 23:02) rfi

One Answer:

0

The Lua you've shown is syntactically correct and functional. It's not exactly "old"; it's just another way of adding items to the tree.

I'm guessing you grabbed the snippet from the Lua/Dissectors wiki page, which I confirmed works in 1.7.0 on Windows 7. Here's the same code from the Lua wiki, modified for tcp:

trivial_proto = Proto("trivial","Trivial Protocol")

function trivial_proto.dissector(buffer,pinfo,tree)
pinfo.cols.protocol = "TRIVIAL"
local subtree = tree:add(trivial_proto,buffer(),"Trivial Protocol Data")
subtree:add(buffer(0,2),"The first two bytes: " .. buffer(0,2):uint())
subtree = subtree:add(buffer(2,2),"The next two bytes")
subtree:add(buffer(2,1),"The 3rd byte: " .. buffer(2,1):uint())
subtree:add(buffer(3,1),"The 4th byte: " .. buffer(3,1):uint())
end


tcp_table = DissectorTable.get("tcp.port")
– register our protocol to handle tcp port 80 (HTTP)
tcp_table:add(80,trivial_proto)

Copy that to a Lua file in your Wireshark plugins directory (e.g., %APPDATA%\Wireshark\plugins\trivial.lua). Start a Wireshark capture, open your browser to a web page (e.g., http://www.google.com), and watch Wireshark’s Protocol column fill up with “TRIVIAL”. You’ll also see the “Trivial” tree items.

EDIT: Here’s an equivalent dissector that uses ProtoFields:

local trivial_proto = Proto("trivial","Trivial Protocol")


local F = trivial_proto.fields


F.f_1 = ProtoField.uint16("trivial.first_two", "The first two bytes")
F.f_2 = ProtoField.uint8("trivial.third", "The 3rd byte")
F.f_3 = ProtoField.uint8("trivial.fourth", "The 4th byte")


function trivial_proto.dissector(buffer,pinfo,tree)
pinfo.cols.protocol = "TRIVIAL"
local subtree = tree:add(trivial_proto,buffer(),"Trivial Protocol Data")
subtree:add(F.f_1, buffer(0,2))
subtree = subtree:add(buffer(2,2),"The next two bytes")
subtree:add(F.f_2, buffer(2,1))
subtree:add(F.f_3, buffer(3,1))
end


tcp_table = DissectorTable.get("tcp.port")
– register our protocol to handle tcp port 80 (HTTP)
tcp_table:add(80,trivial_proto)

answered 25 Feb ‘12, 16:56

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

edited 06 May ‘12, 21:48