A Field extractor to obtain field values. A Field object can only be created outside of
the callback functions of dissectors, post-dissectors, heuristic-dissectors, and taps.
Once created, it is used inside the callback functions, to generate a FieldInfo object.
Create a Field extractor.
Arguments
- fieldname
- The filter name of the field (e.g. ip.addr)
Returns
The field extractor
Errors
- A Field extractor must be defined before Taps or Dissectors get called
Gets a Lua array table of all registered field filter names.
![[Note]](images/note.svg) | Note |
|---|---|
|
This is an expensive operation, and should only be used for troubleshooting. |
Returns
The array table of field filter names
An extracted Field from dissected packet data. A FieldInfo object can only be used within
the callback functions of dissectors, post-dissectors, heuristic-dissectors, and taps.
A FieldInfo can be called on either existing Wireshark fields by using either Field.new()
or Field() before-hand, or it can be called on new fields created by Lua from a ProtoField.
Obtain the Value of the field.
Previous to 1.11.4, this function retrieved the value for most field types,
but for ftypes.UINT_BYTES it retrieved the ByteArray of the field’s entire TvbRange.
In other words, it returned a ByteArray that included the leading length byte(s),
instead of just the value bytes. That was a bug, and has been changed in 1.11.4.
Furthermore, it retrieved an ftypes.GUID as a ByteArray, which is also incorrect.
If you wish to still get a ByteArray of the TvbRange, use fieldinfo.range
to get the TvbRange, and then use tvbrange:bytes() to convert it to a ByteArray.
Checks whether the end byte of lhs is before the end of rhs.
Errors
- Data source must be the same for both fields
Checks whether the end byte of lhs is before the beginning of rhs.
Errors
- Data source must be the same for both fields
Mode: Retrieve only.
The internal field type, a number which
matches one of the ftype values.
Mode: Retrieve only.
The source Tvb object the FieldInfo is derived
from, or nil if there is none.
Mode: Retrieve only.
The TvbRange covering the bytes of this field in a Tvb or nil if there is none.
Mode: Retrieve only.
Whether this field was marked as generated (boolean).
Mode: Retrieve only.
Whether this field was marked as being a URL (boolean).
Mode: Retrieve only.
Whether this field is little-endian encoded (boolean).
Mode: Retrieve only.
Whether this field is big-endian encoded (boolean).
Obtain all fields from the current tree. Note this only gets whatever fields the underlying dissectors have filled in for this packet at this time - there may be fields applicable to the packet that simply aren’t being filled in because at this time they’re not needed for anything. This function only gets what the C-side code has currently populated, not the full list.
Errors
- Cannot be called outside a listener or dissector
Request one or multiple fields by their filter names.
This function tells Wireshark to populate the specified fields during dissection. For performance reasons, Wireshark dissectors don’t add all possible fields to the dissection tree by default - they only add fields that are explicitly requested (e.g., via display filters, taps, or this function). This significantly reduces memory usage and improves dissection speed, especially for fields that are expensive to compute or rarely needed.
Without calling this function (or Field.new()), fields may exist in the protocol but won’t be available in the dissection tree when you try to access them via all_field_infos() or other field extraction methods.
This function must be called outside of callback functions (dissectors, taps, etc.).
Example
-- Request a single field
request_fields("ip.src")
-- Request multiple fields
request_fields({"ip.src", "ip.dst", "tcp.port"})
@param fieldnames A string or table (array) of field filter names to request (e.g. "ip.src" or {"ip.src", "tcp.port"}) Since: 4.7.0
Arguments
- fieldnames
- String or table of field filter names
Request all fields from one or more specified protocols.
This function tells Wireshark to populate all fields from the specified protocol(s) during dissection. Normally, Wireshark dissectors use a "lazy" approach and only add fields to the dissection tree when they are actually needed (e.g., when a display filter references them, or when Field.new() explicitly requests them). This optimization dramatically improves performance and reduces memory consumption, especially for protocols with many fields or computationally expensive field values.
By calling this function, you’re telling Wireshark: "I need ALL fields from protocol X, so please populate them all during dissection, even if they’re not otherwise needed."
Use this function carefully with protocols that have many fields, as it can impact performance. For better performance, prefer request_fields() to request only specific fields you actually need.
This function must be called outside of callback functions (dissectors, taps, etc.).
Returns a table (array) of protocol names that were successfully requested. Unknown protocol names are ignored.
Example
-- Request all fields from a single protocol
request_protocol_fields("http")
-- Request all fields from multiple protocols
request_protocol_fields({"ip", "tcp", "udp"})
@param protocols A string or table (array) of protocol names (e.g. "ip" or {"ip", "tcp", "http"}) Since: 4.7.0
Arguments
- protocols
- String or table of protocol names