Wireshark mailing list archives
Re: Save extracted data from reassembled packets
From: Peter Smith <psmith135 () gmail com>
Date: Mon, 22 Feb 2010 16:23:31 +0200
Yes, that was the starting point but I have already tried numerous other ways to get the data out of the extracted field with no luck. I found a similar sample from this presentation for Sharkfest'09 available here: http://www.cacetech.com/sharkfest.09/DT06_Bjorlykke_Lua%20Scripting%20in%20Wireshark.pdf Here is the code sample from it: ======================= -- Register a field value udp_len_f = Field.new ("udp.length") local function menuable_tap () function tap.packet (pinfo, buffer, userdata) -- Fetch the UDP length local udp_len = udp_len_f() if udp_len and udp_len.value > 400 then -- Do something with big UDP packages end end end ======================= Apparently the reassembled data is contained within userdata structure passed to tap.packet function but I could not find a way to either print or save that data anyhow. I have already posted on Lua list hoping to get a way to access the userdata type but it turned out that lua is only getting a pointer via this userdata type to the actual reassembled packet data. So there should be some wireshark specific function to access and use that data. Unfortunately, I spent 3 days on it already and have not found that function yet. Hopefully someone on wireshark list will help me here... Apparently the range method is not usefull for the reassemled packets because it works with tvb buffer which is a buffer for the current packet only so it can't access the previous packets with the rest of the reassembled data. I guess that's why we get those "expired tvb" errors when accessing previous packets... On Mon, Feb 22, 2010 at 4:00 PM, varname <varname () gmail com> wrote:
Peter Smith wrote:If the reassembled data comes from several packets I get the following error: tshark: Lua: on packet 164 Error During execution of Listener Packet Callback: expired tvbUsing your code I was able to get to the same point (I'm basically trying to do the same thing, but for HTTP packets). If any HTTP packet is a reassembled one I get the same error. May I ask if you got the idea for this from this [1] thread on the users list? [1] http://www.wireshark.org/lists/wireshark-users/200707/msg00156.html ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Save extracted data from reassembled packets Peter Smith (Feb 21)
- Re: Save extracted data from reassembled packets varname (Feb 22)
- Re: Save extracted data from reassembled packets Peter Smith (Feb 22)
- Re: Save extracted data from reassembled packets Peter Smith (Feb 22)
- Re: Save extracted data from reassembled packets Beth (Feb 22)
- Re: Save extracted data from reassembled packets Peter Smith (Feb 22)
- Re: Save extracted data from reassembled packets Peter Smith (Feb 22)
- Re: Save extracted data from reassembled packets varname (Feb 22)
- Re: Save extracted data from reassembled packets Peter Smith (Feb 23)