Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 4058] New: Lua field extractors not getting values after f

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 28 Sep 2009 06:58:59 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4058

           Summary: Lua field extractors not getting values after first
                    dissection
           Product: Wireshark
           Version: 1.2.2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: beth.tridium@xxxxxxxxx


Created an attachment (id=3713)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3713)
Test case for Lua field extractor

Build Information:
Version 1.2.2 (SVN Rev 29910)

Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.16.2, with GLib 2.20.3, with WinPcap (version unknown),
with libz 1.2.3, without POSIX capabilities, with libpcre 7.0, with SMI 0.4.8,
with c-ares 1.6.0, with Lua 5.1, with GnuTLS 2.8.1, with Gcrypt 1.4.4, with MIT
Kerberos, with GeoIP, with PortAudio V19-devel (built Sep 14 2009), with
AirPcap.

Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.1
beta5
(packet.dll version 4.1.0.1452), based on libpcap version 1.0.0, GnuTLS 2.8.1,
Gcrypt 1.4.4, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 30729


--

A Lua postdissector that extracts field values from a parent protocol will get
nil after the packets have been read once.

When the packets are originally read (in this case from a capture file, but
should behave the same for a live capture), the field values are found by the
Lua field extractors just fine.  However when the packets are re-processed for
the GUI display, the values are no longer available.

In terms of the source code:  When packets are read via the function
add_packet_to_packet_list(), a call to tap_queue_init() primes the fields so
that they are added to the tree's "interesting_hfids" hash table.  This table
is where the Lua field extractor looks up the fields referenced in the Lua
script.  When packets are later re-processed via cf_select_packet(), however,
there is no call to tap_queue_init() or any other function that loads the
desired fields into the hash table; thus when the Lua field extractor looks up
the fields they are not found.

The attached test case opens a text window to show the frame number extracted
each time the dissector runs, and compares it to the actual frame number (found
in pinfo.number).  Applied to any capture file, it will show the correct frame
number extracted for each packet as they are read in from the file, but if the
user attempts to select any of the packets in the display, the frame number
will be incorrect.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube