Wireshark-dev: Re: [Wireshark-dev] Wireshark lua dissector unable to load for media_type=applic
From: Cong Ling <[email protected]>
Date: Sun, 20 Oct 2013 00:17:54 +0800
I think it might be the bug of wireshark when the media_type is not list in the dissector table.   'application/octet-stream' is not listed on the table yet.
After I use Lua->evaluate in Wireshark, The dissector table shows my protocol like this, 'application/octet-stream' is in mess code

✉ Cong Ling

在 2013-10-19,下午10:50,Cong Ling <[email protected]> 写道:

Hi all,
I'm trying to write a lua Proto to parse our private protocol on http. But Wireshark didn't enter my dissector function when the media_type to "application/octet-stream". When the media_type is set to "text/html", everything looks fine.
Is there special handling for application/octet-stream?
I was working on it for almost a day, Could you help me out?
Thx a lot

My wireshark version is 1.10.2 on mac osx 10.8.5

Here's my code

   local myproto= Proto("myprotoProtocol","myproto Protocol")
   local f_version= ProtoField.uint32("Version","Version",base.DEC)
   myproto.fields = {f_version}
   local data_dis = Dissector.get("data")
   local function myproto_dissector(tvb,pkt,root)
           print("enter myproto_dissector, tvb.len:"..tostring(tvb:len()))
           if tvb:len() < 17 then return false end
           pkt.cols.protocol = "myproto"
           local t =root:add(myproto,tvb)
           local version = tvb(0,2).uint()
           return true

   function myproto.dissector(tvb,pkt,root)
           print("enter myproto.dissector")
           if not myproto_dissector(tvb,pkt,root) then

   local tbl= DissectorTable.get("media_type")
   --tbl:add("text/html",myproto) --text/html looks fine
   print("adding myproto into DissectorTable")

I use tshark to debugging for application/octet-stream

$tshark  -r test.pcapng   |grep application/octet-stream
108 40.536817000 -> HTTP 418 POST /protocol?uid=101225&uid=101225&_t=1382115502 HTTP/1.1  (application/octet-stream)
111 40.596037000 ->    HTTP 63 HTTP/1.1 200 OK  (application/octet-stream)
120 40.657143000 -> HTTP 445 POST /protocol?uid=101225&uid=101225&_t=1382115502    HTTP/1.1  (application/octet-stream)
124 40.729645000 ->    HTTP 63 HTTP/1.1 200 OK  (application/octet-stream)
219 41.810493000 -> HTTP 488 POST /protocol?uid=101225&uid=101225&_t=1382115503 HTTP/1.1  (application/octet-stream)
226 41.919401000 ->    HTTP 63 HTTP/1.1 200 OK  (application/octet-stream)

$tshark  -r test.pcapng   -X lua_script:canon.lua | grep myproto
adding myproto into DissectorTable

for text/html

$tshark  -r test.pcapng   -X lua_script:canon.lua | grep myproto
adding myproto into DissectorTable
enter myproto.dissector
enter myproto_dissector, tvb.len:2
enter myproto.dissector
enter myproto_dissector, tvb.len:6
enter myproto.dissector
enter myproto_dissector, tvb.len:6

Cong Ling

Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:[email protected]?subject=unsubscribe