Wireshark mailing list archives
Re: Wireshark lua dissector unable to load for media_type=application/octet-stream
From: Cong Ling <cong.ling () happyelements com>
Date: Sun, 20 Oct 2013 00:17:54 +0800
I think it might be the bug of wireshark when the media_type is not list in the dissector table. 'application/octet-stream' is not listed on the table yet. After I use Lua->evaluate in Wireshark, The dissector table shows my protocol like this, 'application/octet-stream' is in mess code [cid:6CC81BCB-730F-41BC-B299-900FACBB853B@hec.intra] Regards, ✉ Cong Ling 在 2013-10-19,下午10:50,Cong Ling <cong.ling () happyelements com<mailto:cong.ling () happyelements com>> 写道: Hi all, I'm trying to write a lua Proto to parse our private protocol on http. But Wireshark didn't enter my dissector function when the media_type to "application/octet-stream". When the media_type is set to "text/html", everything looks fine. Is there special handling for application/octet-stream? I was working on it for almost a day, Could you help me out? Thx a lot My wireshark version is 1.10.2 on mac osx 10.8.5 Here's my code do local myproto= Proto("myprotoProtocol","myproto Protocol") local f_version= ProtoField.uint32("Version","Version",base.DEC) myproto.fields = {f_version} local data_dis = Dissector.get("data") local function myproto_dissector(tvb,pkt,root) print("enter myproto_dissector, tvb.len:"..tostring(tvb:len())) if tvb:len() < 17 then return false end pkt.cols.protocol = "myproto" local t =root:add(myproto,tvb) t:add(f_version,tvb(0,2)) local version = tvb(0,2).uint() print("version:"..tostring(version)) return true end function myproto.dissector(tvb,pkt,root) print("enter myproto.dissector") if not myproto_dissector(tvb,pkt,root) then data_dis:call(tvb,pkt,root) end end local tbl= DissectorTable.get("media_type") tbl:add("application/octet-stream",myproto) --tbl:add("text/html",myproto) --text/html looks fine print("adding myproto into DissectorTable") end I use tshark to debugging for application/octet-stream $tshark -r test.pcapng |grep application/octet-stream 108 40.536817000 10.8.0.14 -> 10.130.142.72 HTTP 418 POST /protocol?uid=101225&uid=101225&_t=1382115502 HTTP/1.1 (application/octet-stream) 111 40.596037000 10.130.142.72 -> 10.8.0.14 HTTP 63 HTTP/1.1 200 OK (application/octet-stream) 120 40.657143000 10.8.0.14 -> 10.130.142.72 HTTP 445 POST /protocol?uid=101225&uid=101225&_t=1382115502 HTTP/1.1 (application/octet-stream) 124 40.729645000 10.130.142.72 -> 10.8.0.14 HTTP 63 HTTP/1.1 200 OK (application/octet-stream) 219 41.810493000 10.8.0.14 -> 10.130.142.72 HTTP 488 POST /protocol?uid=101225&uid=101225&_t=1382115503 HTTP/1.1 (application/octet-stream) 226 41.919401000 10.130.142.72 -> 10.8.0.14 HTTP 63 HTTP/1.1 200 OK (application/octet-stream) $tshark -r test.pcapng -X lua_script:canon.lua | grep myproto adding myproto into DissectorTable for text/html $tshark -r test.pcapng -X lua_script:canon.lua | grep myproto adding myproto into DissectorTable enter myproto.dissector enter myproto_dissector, tvb.len:2 enter myproto.dissector enter myproto_dissector, tvb.len:6 enter myproto.dissector enter myproto_dissector, tvb.len:6 Regards, Cong Ling ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org<mailto:wireshark-dev () wireshark org>> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Wireshark lua dissector unable to load for media_type=application/octet-stream Cong Ling (Oct 19)
- Re: Wireshark lua dissector unable to load for media_type=application/octet-stream Cong Ling (Oct 19)