Wireshark mailing list archives
How to allow string matching on a decoded string field ?
From: Fulko Hew <fulko.hew () gmail com>
Date: Tue, 15 Dec 2020 19:35:02 -0500
I have a protocol that has an encrypted string as one of its fields. A Lua based dissector (for example) shows this using the following code snippet: xx_proto.fields.msg = ProtoField.string("xx.msg", "Msg", base.ASCII) local decoded = decrypt(buf, start) subtree:add(xx_proto.fields.msg, buf(start, len), decoded:raw()) The decoder converts the encrypted data into ASCII. I'd love to be able to search on the decrypted contents using a display filter, but I presume it searches buf(start, len) rather than the decrypted data/value that's placed into the tree. Can it be done? What would I need to do? TIA Fulko
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- How to allow string matching on a decoded string field ? Fulko Hew (Dec 15)