Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] How to make a LUA written dissector appears in the "Decode A

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 29 Sep 2011 11:36:56 -0700
On Sep 29, 2011, at 1:29 AM, Sandwood Sandwood wrote:

> I am not in any of the case, my protocol is running on top of X.25 . 

The "Decode As" widget includes no code to support X.25, so, in your case, there is no way to make any dissector, whether C or Lua or whatever, to appear in that widget.

> I checked the implementation of the X.25 dissector,  for the payload, the dissector checks if it might be an IP,  then OSI CLNP , then the heuristic dissector (we can't neither write heuristic dissector in LUA), then if nothing match, invokes the raw data dissector.

Then, if your protocol could have a heuristic dissector, what you need is support for heuristic dissectors in Lua.  Having a heuristic dissector figure out what protocol is being carried over X.25 is more convenient than having to tell Wireshark what's carried over X.25.

> More generally I presume I can't be the first to need to "Decode the raw data with whatever Dissectors I want"

What you need is not "decode all raw data in this capture with a particular dissector that I choose"; for example, if the dissector you want itself has a payload that it shows as raw data, that won't work right.  (Your dissector might not happen to have that problem, but a general mechanism has to work in the general case, not just in your case.)

What you need is, ideally, "dissect the traffic on this particular X.25 virtual circuit with one of these dissectors", where "these dissectors" are dissectors that don't require and expect their PDUs to be carried on a particular protocol (yes, those exist).  "Dissect any unknown data over X.25 with one of these dissectors" would probably be an adequate substitute in most cases.