I am writing a custom dissector for a protocol and have followed instructions to enable lua scripts by commenting out the disable_lua line in init.lua file. I also have run_user_scripts_when_superuser set to true.
The dissector I have is as follows in wse.lua:
do
ws_proto = Proto("wse", "Enhanced ws");
function ws_proto.dissector(buffer, pinfo, tree)
print("dissector called")
pinfo.cols.protocol="WSE"
print (buffer (0, 4):string())
local subtreeitem = tree:add(ws_proto, buffer(), "WSE traffic")
subtreeitem:add_le(buffer(), "traffic")
pinfo.cols.info:set("WSE");
end
DissectorTable.get("tcp.port"):add(8001, ws_proto)
end
When run tshark or wireshark by passing the this wse.lua file in the command line using "sudo wireshark -X lua_script:wse.lua", I do see the wse protocol listed in the expressions dialog correctly.
Issue
When I try to record some traffic by sending bytes on port 8001 (this dissector is registered on 8001), my dissector is not called. Instead it shows the log as this.
WSE
Running as user "root" and group "root". This could be dangerous.
Capturing on lo
0.000000 127.0.0.1 -> 127.0.0.1 HTTP Continuation or non-HTTP traffic
0.000966 127.0.0.1 -> 127.0.0.1 HTTP Continuation or non-HTTP traffic
0.001001 127.0.0.1 -> 127.0.0.1 TCP 59174 > vcom-tunnel [ACK] Seq=20 Ack
Please note that WSE is printed by my script, but the dissector is not called and the internal HTTP dissector is getting called.
Other thing I tried
So, I started wireshark with out the lua file by executing "sudo wireshark" and open up the evaluate dialog by clicking on Tools->Lua->Evaluate menu. In this evaluate dialog, I copied the contents of wse.lua file and evaluated it. I see the "WSE" (my log) is printed on the console. After running this, if I record traffic on loopback, it calls my dissector correctly and I see the entries in wireshark as wse and also the logs that I am printing.
I am running my tests using Wireshark 1.2.7 running on Ubuntu. Here is the information from the about box.
Version 1.2.7
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GTK+ 2.20.0, with GLib 2.24.0, with libpcap 1.0.0, with libz
1.2.3.3, with POSIX capabilities (Linux), with libpcre 7.8, with SMI 0.4.8, with
c-ares 1.7.0, with Lua 5.1, with GnuTLS 2.8.5, with Gcrypt 1.4.4, with MIT
Kerberos, with GeoIP, with PortAudio V19-devel (built Feb 18 2010 23:31:11),
without AirPcap.
Running on Linux 2.6.32-22-generic, with libpcap version 1.0.0, GnuTLS 2.8.5,
Gcrypt 1.4.4.
It appears that the HTTP dissector is taking priority over my dissector for some reason. Your valuable insights or workarounds to get this Lua dissector to work correctly is appreciated.
Thanks in advance.
--
Best Regards,
Sidda
Director of Management Services
>|< Kaazing Corporation >|<
888, Villa St. Suite #410, Mountain View, CA 94041, USA
