Re: Save extracted data from reassembled packets

[Peter Smith <psmith135 () gmail com>]

I also tried to use a similar code as in previously mentioned presentation:

===================================
wsp_extractor = Field.new("wsp")
tap = Listener.new(nil,"wsp")
function tap.packet(pinfo,tvb,userdata)
local wsp_pdu =  wsp_extractor()
if wsp_pdu then
print(wsp_pdu.value)
end
end
===================================

In this case I get another error:
[string "wsp.lua"]:6: FT_ not yet supported

So I am stuck for now...


On Mon, Feb 22, 2010 at 4:23 PM, Peter Smith <psmith135 () gmail com> wrote:

> Yes, that was the starting point but I have already tried numerous other
> ways to get the data out of the extracted field with no luck. I found a
> similar sample from this presentation for Sharkfest'09 available here:
> http://www.cacetech.com/sharkfest.09/DT06_Bjorlykke_Lua%20Scripting%20in%20Wireshark.pdf
>
> Here is the code sample from it:
>
> =======================
> -- Register a field value
> udp_len_f = Field.new ("udp.length")
>
> local function menuable_tap ()
> function tap.packet (pinfo, buffer, userdata)
> -- Fetch the UDP length
>  local udp_len = udp_len_f()
> if udp_len and udp_len.value > 400 then
> -- Do something with big UDP packages
>  end
> end
> end
> =======================
>
> Apparently the reassembled data is contained within userdata structure
> passed to tap.packet function but I could not find a way to either print or
> save that data anyhow. I have already posted on Lua list hoping to get a way
> to access the userdata type but it turned out that lua is only getting a
> pointer via this userdata type to the actual reassembled packet data. So
> there should be some wireshark specific function to access and use that
> data. Unfortunately, I spent 3 days on it already and have not found that
> function yet.
>
> Hopefully someone on wireshark list will help me here...
>
> Apparently the range method is not usefull for the reassemled packets
> because it works with tvb buffer which is a buffer for the current packet
> only so it can't access the previous packets with the rest of the
> reassembled data. I guess that's why we get those "expired tvb" errors
> when accessing previous packets...
>
>
> On Mon, Feb 22, 2010 at 4:00 PM, varname <varname () gmail com> wrote:
>
> > Peter Smith wrote:
> > > If the reassembled data comes from several packets I get the following
> > > error:
> > > tshark: Lua: on packet 164 Error During execution of Listener Packet
> > > Callback:
> > > expired tvb
> >
> > Using your code I was able to get to the same point (I'm basically
> > trying to do the same thing, but for HTTP packets). If any HTTP packet
> > is a reassembled one I get the same error.
> >
> > May I ask if you got the idea for this from this [1] thread on the users
> > list?
> >
> >
> > [1] http://www.wireshark.org/lists/wireshark-users/200707/msg00156.html
> >
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> > Archives:    http://www.wireshark.org/lists/wireshark-dev
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> >             mailto:wireshark-dev-request () wireshark org
> > ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe