ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online

Wireshark-dev: Re: [Wireshark-dev] Save extracted data from reassembled packets

From: Peter Smith <psmith135@xxxxxxxxx>
Date: Mon, 22 Feb 2010 16:38:12 +0200
I also tried to use a similar code as in previously mentioned presentation:

wsp_extractor ="wsp")
tap =,"wsp")
function tap.packet(pinfo,tvb,userdata)
local wsp_pdu =  wsp_extractor()
if wsp_pdu then

In this case I get another error:
[string "wsp.lua"]:6: FT_ not yet supported

So I am stuck for now...

On Mon, Feb 22, 2010 at 4:23 PM, Peter Smith <psmith135@xxxxxxxxx> wrote:
Yes, that was the starting point but I have already tried numerous other ways to get the data out of the extracted field with no luck. I found a similar sample from this presentation for Sharkfest'09 available here:

Here is the code sample from it:

-- Register a field value
udp_len_f = ("udp.length")

local function menuable_tap ()
function tap.packet (pinfo, buffer, userdata)
-- Fetch the UDP length
local udp_len = udp_len_f()
if udp_len and udp_len.value > 400 then
-- Do something with big UDP packages

Apparently the reassembled data is contained within userdata structure passed to tap.packet function but I could not find a way to either print or save that data anyhow. I have already posted on Lua list hoping to get a way to access the userdata type but it turned out that lua is only getting a pointer via this userdata type to the actual reassembled packet data. So there should be some wireshark specific function to access and use that data. Unfortunately, I spent 3 days on it already and have not found that function yet.

Hopefully someone on wireshark list will help me here...

Apparently the range method is not usefull for the reassemled packets because it works with tvb buffer which is a buffer for the current packet only so it can't access the previous packets with the rest of the reassembled data. I guess that's why we get those "expired tvb" errors when accessing previous packets...

On Mon, Feb 22, 2010 at 4:00 PM, varname <varname@xxxxxxxxx> wrote:
Peter Smith wrote:
> If the reassembled data comes from several packets I get the following
> error:
> tshark: Lua: on packet 164 Error During execution of Listener Packet
> Callback:
> expired tvb

Using your code I was able to get to the same point (I'm basically
trying to do the same thing, but for HTTP packets). If any HTTP packet
is a reassembled one I get the same error.

May I ask if you got the idea for this from this [1] thread on the users


Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>