Wireshark-bugs: [Wireshark-bugs] [Bug 5991] New: Dissector created by LUA does not dissect IP tr
Date: Fri, 3 Jun 2011 08:13:08 -0700 (PDT)

           Summary: Dissector created by LUA does not dissect IP traffic
                    properly when the capture is truncated
           Product: Wireshark
           Version: 1.6.0
          Platform: x86
        OS/Version: Windows 7
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: [email protected]
        ReportedBy: [email protected]

Created an attachment (id=6451)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=6451)
Sample capture of IP traffic using my encapsulation protocol as defined in

Build Information:
Version 1.6.0rc2 (SVN Rev 37523 from /trunk-1.6)
I have created a simple LUA dissector based in the documentation example. The
protocol adds 1 byte to the captured IP raw data, and my dissector reads that
byte and calls the IP dissector with the remaining data. This is the LUA code:
    -- Configure Dissector
    -- We will use the User USER0 link
    local my_proto = Proto("myproto","My Encapsulation Protocol");

    local vs_protos = {
        [0] = "Unknown",
        [1] = "Ethernet",
        [4] = "IP Version 4",
        [6] = "IP Version 6",
        [9] = "PPP",
        -- add new channels here
    local vs_directions = {
        [0] = "Up",
        [1] = "Down"

    local f_channel = ProtoField.uint8("myprot.channel","Channel"
    local f_direction =

    my_proto.fields = {f_channel,f_direction}

    local data_dis = Dissector.get("data")

    local protos = {
        [0] = Dissector.get("data"),
        [1] = Dissector.get("eth"),
        [4] = Dissector.get("ip"),
        [6] = Dissector.get("ipv6"),
        [9] = Dissector.get("ppp"),

    function my_proto.dissector(buf,pkt,root)

        local t = root:add(my_proto,buf(0,1)) -- Just one byte for our protocol


        local proto_id = buf(0,1):uint()
        if(proto_id > 127) then
            proto_id = proto_id - 128
        local dissector = protos[proto_id]
        if dissector ~= nil then


    local wtap_encap_table = DissectorTable.get("wtap_encap")


If the captured IP traffic is complete, everything works as expected, all data
is dissected properly.

The problem occurs when the IP traffic is truncated, for example if only IP and
TCP/UDP headers are captured to reduce the .pcap file. The UDP dissector
produce this error:

Expert Info (Error/Malformed): Bad length value 51 > IP payload length

The TCP dissector does not produce any error, but it believes the payload is
less than it should be and the ack and seq numbers get out of sync.

I have attached a sample capture using the encapsulation protocol as expected
by the above LUA code.

Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.