All geek questions in one place

Projector Wireshark in Lua

First of all, I am new to Lua in general, and this is my first attempt to write a wirehark parser.

My protocol is simple - a 2-byte field followed by a string of that length.

When I run the code through the Lua console, everything works as expected.

When the code is added to the Wireshark plugin directory, I get an error

Lua error: [line "C: \ Users ... \ AppData \ Roaming \ Wireshark ..."]: 15: call "add" to bad self (number, expected, received line)

Line 15 corresponds to line t:add(f_text...

Can someone explain the mismatch between the execution methods?

 do local p_multi = Proto("aggregator","Aggregator"); local f_len = ProtoField.int16("aggregator.length","Length",base.DEC) local f_text = ProtoField.string("aggregator.text","Text") p_multi.fields = { f_len, f_text } local data_dis = Dissector.get("data") function p_multi.dissector(buf,pkt,root) pkt.cols.protocol = "Aggregator" local len = buf(0,2):int() local t = root:add(p_multi,buf(0,len+2)) t:add(f_len,buf(0,2),"Length: " .. buf(0,2):int()) t:add(f_text,buf(2,len),"Text: " .. buf(2,len):string()) end local tcp_encap_table = DissectorTable.get("tcp.port") tcp_encap_table:add(4321,p_multi) end
+6
source share
1 answer

Your dissector code is very close to correct, but you are doing extra work that the interface will not accept. If you change your dissector function so

 function p_multi.dissector(buf,pkt,root) pkt.cols.protocol = "Aggregator" local len = buf(0,2):int() local t = root:add(p_multi,buf(0,len+2)) t:add(f_len,buf(0,2)) --let Wireshark do the hard work t:add(f_text,buf(2,len)) --you've already defined their labels etc. end

you will get the desired behavior. The labels "Text" and "Length" are already defined for your fields, so there is no need to provide them again on lines 15 and 16.

+6
source

Source: https://habr.com/ru/post/914653/

More articles:


All Articles