On Sep 28, 2011, at 4:57 AM, Sandwood Sandwood wrote:
> The "Wireshark: Decode As" functionality is very usefull in some case when the carrying protocol does not provide a "upper protocol field".
For the Ethertype, MPLS label, IP protocol, TCP port, UDP port, and SCTP PPI pages, "Decode As" works by registering a particular value of the "upper protocol field" in the carrying protocol's dissector table to use the upper protocol, so that requires an upper protocol field.
For DCE RPC, it works by registering a particular collection of port numbers, context IDs and (for DCE RPC over SMB) SMB file ID to use a particular DCE RPC-based protocol, so that applies *only* to DCE RPC-based protocols.
For ASN.1, it works only if the "capture file" is a raw collection of ASN.1 BER-encoded data, and applies only to ASN.1 BER-encoded protocol.
I don't think we support writing dissectors either for DCE RPC-based protocols or ASN.1-based protocols in Lua, so you're presumably talking about dissectors for protocols running atop:
protocols with an Ethertype, which have an "upper protocol field";
IPv4 or IPv6, which have an "upper protocol field", the IP protocol type/next header field;
TCP or UDP, which have a field that's technically not an "upper protocol field" but that can sometimes be used as one, the port number;
SCTP, which has the PPI field;
and all have dissector tables for the fields in question.
> When writing a Dissector in LUA, the newly written dissector is not in the List of protocols.
>
> So if the carrying protocol does not offer a Dissector Table where I can add the upper LUA protocol, how can we process ?
If the protocol on top of which your protocol runs doesn't have a dissector table, you can't even make a dissector written in C appear in the "Decode As" widget, except for DCE RPC-based and ASN.1-based protocols.
