Wireshark · Wireshark-users: [Wireshark-users] LUA Postdissector Field Extractors getting nil values from built-in TCP Dissectors

Wireshark-users: [Wireshark-users] LUA Postdissector Field Extractors getting nil values from bui

From: Edwin Nasol <enasol@xxxxxxxxx>

Date: Wed, 25 Feb 2009 15:16:07 +0000 (UTC)

Newbie here writing my first LUA Postdissector for a proprietary COMEX-based 
protocol (eth-llc-myproto).

I tried using the (modified) example trivial protocol postdissector below:

------------------8<------------------------------------------------------
-- trivial postdissector example
-- declare some Fields to be read
ip_src_f = Field.new("ip.src")
ip_dst_f = Field.new("ip.dst")
tcp_src_f = Field.new("tcp.srcport")
tcp_dst_f = Field.new("tcp.dstport")
-- declare our (pseudo) protocol
trivial_proto = Proto("trivial","TRIVIAL","Trivial Postdissector")
-- create the fields for our "protocol"
src_F = ProtoField.string("trivial.src","Source")
dst_F = ProtoField.string("trivial.dst","Destination")
conv_F = ProtoField.string("trivial.conv","Conversation","A Conversation")
-- add the field to the protocol
trivial_proto.fields = {src_F, dst_F, conv_F}
-- create a function to "postdissect" each frame
function trivial_proto.dissector(buffer,pinfo,tree)
    -- obtain the current values the protocol fields
    local tcp_src = tcp_src_f()
    local tcp_dst = tcp_dst_f()
    local ip_src = ip_src_f()
    local ip_dst = ip_dst_f()
--    if tcp_src then
       local subtree = tree:add(trivial_proto,"Trivial Protocol Data")
       local src = tostring(ip_src) .. ":" tostring(tcp_src)
       local dst = tostring(ip_dst) .. ":" tostring(tcp_dst)
       local conv = src  .. "->" .. dst
       subtree:add(src_F,src)
       subtree:add(dst_F,dst)
       subtree:add(conv_F,conv)
--    end

end
-- register our protocol as a postdissector
register_postdissector(trivial_proto)
------------------8<------------------------------------------------------

I commented out the "if tcp_src" checking to see all the extracted values.

All the field extractors (tcp_src_f(), tcp_dst(), ip_src_f() and ip_dst_f()) 
are returning nil values even if TCP and IP are found in the Protocol 
Hierarchy. Sample packet shown below:

------------------8<------------------------------------------------------
0000   08 00 20 ad 44 18 00 00 6c 00 01 ff 08 00 45 00  .. .D...l.....E.
0010   00 29 69 f5 40 00 ff 06 bf 95 97 80 10 41 97 80  .)[email protected]..
0020   13 02 03 ff 02 01 6f 28 1d 2e 1f 4c 4f 41 50 18  ......o(...LOAP.
0030   22 38 1f 6c 00 00 1b 63 7e 0d 00 c3              "8.l...c~... 
------------------8<------------------------------------------------------

Can anyone please point me in the right direction to get the correct or 
expected values?

I have WS V1.0.6 on WinXP Pro SP3.

Thanks,
Edwin Nasol

Follow-Ups:
- Re: [Wireshark-users] LUA Postdissector Field Extractors getting nil values from built-in TCP Dissectors
  - From: Edwin Nasol

Prev by Date: Re: [Wireshark-users] comments/rants wrt my (very first) dissector
Next by Date: [Wireshark-users] How to find out the current locally installed version of WinPCap?
Previous by thread: Re: [Wireshark-users] Hacking question
Next by thread: Re: [Wireshark-users] LUA Postdissector Field Extractors getting nil values from built-in TCP Dissectors
Index(es):
- Date
- Thread