Wireshark mailing list archives
Re: any examples of how to hook up Lua dissector to user_dlt tree?
From: Guy Harris <gharris () sonic net>
Date: Tue, 31 Aug 2021 23:48:23 -0700
On Aug 31, 2021, at 10:37 PM, Ariel Burbaickij <ariel.burbaickij () gmail com> wrote:
Hello Christopher, all,
as I wrote "... to write Lua dissector...", so instructions what and how to do on command line do not apply in this
case. Meanwhile, I figured out by myself how this is supposed to work:
local udlt = DissectorTable.get("wtap_encap")
udlt:add(wtap.USER1, ypp)
why not to stick to one naming convention of user_dlt
An explanation of various link-layer type indicators:
Wireshark can read several file formats; they do not all use the same numerical values for any given link-layer type.
pcap and pcapng files use the LINKTYPEs specified on
https://www.tcpdump.org/linktypes.html
The numerical values in that file appear in the headers of pcap files and the Interface Description Blocks of pcapng
files.
libpcap uses DLTs in its APIs. DLTs are *not* guaranteed to have the same numerical values on all platforms;
historically, various OSes have given some DLTs different values on different OSes, so no program should depend on the
numerical value; libpcap preserves that, for binary compatibility.
The LINKTYPEs were created to provide values that *would* be guaranteed to be the same, no matter what platform the
file is written on; libpcap maps between LINKTYPEs and DLTs.
No current libpcap API uses LINKTYPEs.
Wireshark reads more than just pcap and pcapng files, and some of the files it reads have link-layer types for which
there is no corresponding LINKTYPE_ value. Therefore, it has its *own* set of link-layer types - those are the
WTAP_ENCAPs.
There is no guarantee that a WTAP_ENCAP that corresponds to a given LINKTYPE has the same numerical value, and there
never will be such a guarantee - we don't even guarantee that the numerical values of WTAP_ENCAPs will remain the same
from one Wireshark major release to another.
The APIs Wireshark offers to plugins, whether they're for C or Lua plugins, use WTAP_ENCAPs, not LINKTYPEs. There is,
therefore, no guarantee that 148 will work as a way to refer to WTAP_ENCAP_USER1, even though the numerical value of
LINKTYPE_USER1 is 148. The same applies for all other USERn values from USER0 to USER15 - use WTAP_ENCAP_USERn, not
the numerical value for LINKTYPE_USERn, in libwiretap and libwireshark APIs.
The naming convention we use is that, when registering in the "wtap_encap" dissector table with the Wireshark
encapsulation value WTAP_ENCAP_xxx, you use WTAP_ENCAP_xxx in C code and wtap.xxx in Lua code.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- any examples of how to hook up Lua dissector to user_dlt tree? Ariel Burbaickij (Aug 30)
- Re: any examples of how to hook up Lua dissector to user_dlt tree? Maynard, Christopher via Wireshark-users (Aug 31)
- Re: any examples of how to hook up Lua dissector to user_dlt tree? Ariel Burbaickij (Aug 31)
- Re: any examples of how to hook up Lua dissector to user_dlt tree? Guy Harris (Aug 31)
- Re: any examples of how to hook up Lua dissector to user_dlt tree? Ariel Burbaickij (Aug 31)
- Re: any examples of how to hook up Lua dissector to user_dlt tree? Maynard, Christopher via Wireshark-users (Aug 31)