Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Accessing calculated fields from Lua

From: Beth <beth.tridium () gmail com>
Date: Tue, 6 Apr 2010 10:27:42 -0400
I am writing a Lua script that extracts certain fields from various
protocols and then adds them to the display tree.  It doesn't create any new
information, just collects these fields of interest all in one place for
easier viewing.

The problem I am running into is that some of the fields do not exist inline
in the packet data, they are expanded from compressed info.  So the
highlighted bytes in the packet for those fields are only part of the
expanded value, and in some cases none of the expanded value is found in the
packet (just a bit that tells the dissector to look elsewhere).  When the
Lua field extractors try to get the values of these fields, they apparently
assume that the value is contained explicitly in the packet, thus getting
incorrect data or perhaps none at all.  (In fact if the original field is
entered into the tree with a length of 0, the Lua field extractor will get
an error.)

I have been digging through the wslua code in hopes that there is a simple
solution, as I have occasionally found in the past, but quickly found myself
over my head.  Can someone confirm that the issue I have described is real?
And if so, are there any hints as to where a fix might belong?  I can't even
figure out where or how these calculated field values are stored; one would
assume in a field_info struct, but when I print out the contents of the
field_info with the correct hfinfo->id, the value I get seems to be
extracted from the packet data again, not the calculated/expanded value.

The example I'm currently struggling with is the 6LoWPAN IPv6 src & dest
addresses, but this isn't the wireshark dissector, it's a plugin created
from someone else's code.  (We'll move to the wireshark dissector when it
starts being included in the stable releases.)

Thanks for any advice you can offer.
b.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: