Pyshark - tshark can't use user plugin in 'decode_as'

Question

I use Pyshark that uses tshark to decode a pcap file, and I have a problem using 'decode_as' option. I'm trying to decode a specific UDP port as SOMEIP protocol. This is a dissector I added that is taken from here.

It is important to say that both the dissector and the "decode_as" option work perfectly in Wireshark.

This is the code I use:

import pyshark

packets=pyshark.FileCapture(pcap_path, display_filter="udp")
packets.next() # Works fine

packets=pyshark.FileCapture(pcap_path, display_filter="udp", decode_as={"udp.port==50000":"someip"})
packets.next() # doesn't return a packet

There is also an ignored exception:

Exception ignored in: <function Capture.__del__ at 0x000001D9CE035268>
Traceback (most recent call last):
  File "C:\Users\SHIRM\AppData\Local\Continuum\anaconda3\lib\site-packages\pyshark\capture\capture.py", line 412, in __del__
    self.close()
  File "C:\Users\SHIRM\AppData\Local\Continuum\anaconda3\lib\site-packages\pyshark\capture\capture.py", line 403, in close
    self.eventloop.run_until_complete(self._close_async())
  File "C:\Users\SHIRM\AppData\Local\Continuum\anaconda3\lib\asyncio\base_events.py", line 573, in run_until_complete
    return future.result()
  File "C:\Users\SHIRM\AppData\Local\Continuum\anaconda3\lib\site-packages\pyshark\capture\capture.py", line 407, in _close_async
    await self._cleanup_subprocess(process)
  File "C:\Users\SHIRM\AppData\Local\Continuum\anaconda3\lib\site-packages\pyshark\capture\capture.py", line 400, in _cleanup_subprocess
    % process.returncode)
pyshark.capture.capture.TSharkCrashException: TShark seems to have crashed (retcode: 1). Try rerunning in debug mode [ capture_obj.set_debug() ] or try updating tshark.

As it recommends I use debug mode(packets.set_debug()), and after running it I get:

tshark: Protocol "someip" isn't valid for layer type "udp.port"
tshark: Valid protocols for layer type "udp.port" are:
....

and then a long list of protocols, which "someip" is not in... (but another dissector that I added, and is dll, is)

Any idea what is wrong here? Does the dissector causes the problems, or did I do something wrong?

Again- the "decode as" works fine when done manually in Wireshark.

Thanks!

---

EDIT

I found the part in Wireshark code that causes this error:

So I read about dissector tables, and it seems that there shouldn't be a problem, since the dissector lua code does add "someip" to the dissector table of "udp.port":

    local udp_dissector_table = DissectorTable.get("udp.port")
    -- Register dissector to multiple ports
    for i,port in ipairs{30490,30491,30501,30502,30503,30504} do
        udp_dissector_table:add(port,p_someip)
        tcp_dissector_table:add(port,p_someip)
    end

I also tried to use the dissectortable:add_for_decode_as(proto) function (described in 11.6.2.11 here):

    udp_dissector_table:add_for_decode_as(p_someip)

But it didn't work :(

Any idea will be appreciated, thanks

Answer 1

Even though it is an old question:

I tried with a pcap of mine at it worked. So 3 suggestions:

1. There has been a bug, which is fixed now - then it should work for you now as well

2. The udp port is wrong. I do have a different one (30490) and if this one is wrong, the package will be empty. Please try with 50001, as this port shows on your screenshot

3. The pcap has some problems, in this case, try with another one.

Hope that helps!