Wireshark mailing list archives
Re: lua decoder accessing info from layers above
From: Martin Kaiser <lists () kaiser cx>
Date: Wed, 21 Oct 2020 22:42:53 +0200
Thus wrote Maynard, Chris via Wireshark-dev (wireshark-dev () wireshark org):
From: Wireshark-dev <wireshark-dev-bounces () wireshark org> On Behalf Of chuck c Sent: Wednesday, October 14, 2020 10:33 AM To: Developer support list for Wireshark <wireshark-dev () wireshark org> Subject: Re: [Wireshark-dev] lua decoder accessing info from layers above
local p_foo = Proto.new("foo", "foo") local f_frame_protocols = Field.new("frame.protocols")
function p_foo.dissector(buf, pinfo, tree) print(pinfo.number, "Protocols: " .. (f_frame_protocols() and f_frame_protocols().value or "Unknown")) -- print(pinfo.number, f_frame_protocols().value) end
register_postdissector(p_foo)
Script above prints to the Lua console. What was the situation where it doesn't work?
It works as a post-dissector, but not as a registered dissector. For example, replace:
register_postdissector(p_foo)
with something like so, replacing the port number with whatever you can easily test with:
local udp_table = DissectorTable.get("udp.port") udp_table:add(33333, p_foo)
Yet you can access and print other frame fields such as "frame.len" and "frame.cap_len".
frame.protocols is added to the tree by the frame dissector after all upper-layer protocols were running, i.e. after the big try-catch block in packet-frame.c and before the try-catch block for postdissectors. This makes sense to me. We have to dissect the packet completely before we can compile the list of all protocols that got to see the packet. Thus, by the time p_foo.dissector runs, there's no frame.protocols field in the tree yet. f_frame_protocols() is nil. Field__call() calls proto_get_finfo_ptr_array() which doesn't find a frame.protocols entry in the tree. This is different for frame.len and frame.cap_len. These fields are added to the tree before packet-frame.c passes control to other dissectors. When postdissectors are called, frame.protocols is also present in the tree and visible to postdissectors. Best regards, Martin ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- lua decoder accessing info from layers above Fulko Hew (Oct 12)
- Re: lua decoder accessing info from layers above John Thacker (Oct 12)
- Re: lua decoder accessing info from layers above Guy Harris (Oct 12)
- Re: lua decoder accessing info from layers above Fulko Hew (Oct 15)
- Re: lua decoder accessing info from layers above Graham Bloice (Oct 16)
- Re: lua decoder accessing info from layers above Maynard, Chris via Wireshark-dev (Oct 13)
- Re: lua decoder accessing info from layers above chuck c (Oct 14)
- Re: lua decoder accessing info from layers above Maynard, Chris via Wireshark-dev (Oct 14)
- Re: lua decoder accessing info from layers above Martin Kaiser (Oct 21)
- Re: lua decoder accessing info from layers above chuck c (Oct 14)
- Re: lua decoder accessing info from layers above John Thacker (Oct 12)
- <Possible follow-ups>
- Re: lua decoder accessing info from layers above qiangxiong.huang (Oct 14)
- Re: lua decoder accessing info from layers above Maynard, Chris via Wireshark-dev (Oct 14)