0

I'm writing a Lua Dissector for Wireshark. The packets I'm trying to dissect have the following format:

V_SPEED
N_ITERATION
  SEG_LEN[N_ITERATION] --> This means there are N_ITERATION SEG_LEN in my packet

I succeed to add the basic fields (V_SPEED and N_ITERATION) as Wireshark Protofield and I can filter based on those. However I'm struggling for the array of SEG_LEN. I want to be able to use filter like "SEG_LEN[1] == XYZ". How can I achieve that?

For now, I have the following ProtoFields:

myproto = Proto("MyProto", "My Protocol")
myproto.fields.v_speed = ProtoField.uint16("myproto.v_speed", "v_speed", base.DEC)
myproto.fields.n_iteration = ProtoField.uint16("myproto.n_iteration", "n_iteration", base.DEC)

I tried to define a ProtoField for each possible SEG_LEN like so

myproto.fields.seg_len_1 = ProtoField.uint16("myproto.seg_len_1", "seg_len_1", base.DEC)
myproto.fields.seg_len_2 = ProtoField.uint16("myproto.seg_len_2", "seg_len_2", base.DEC)
...
myproto.fields.seg_len_255 = ProtoField.uint16("myproto.seg_len_255", "seg_len_255", base.DEC)

And so I have the following piece of code in my dissector function:

for i0 = 1, N_ITERATION do
  seg_len_tmp = extract_variable(buffer, bit_offset, 16)
  bit_offset = bit_offset + 16
  tree:add(_G["myproto.fields.seg_len"..i0], seg_len_tmp)
end

That way, I guess I would be able to use filter like "SEG_LEN_1 == XYZ". But wireshark gives me an error saying I'm trying to add a NIL value. Also, I don't feel like it's a good approach.

I know I can also define a single ProtoField for my seg_len, and add all my seg_len to the tree using the same Protofield, but this will prevent me from filtering with an index.

(English is not my native language, excuse me for the syntax errors)

laultimapregunta
  • 1

1 Answers1

0

Something like this?

local myproto = Proto("MyProto", "My Protocol")

local N_ITERATION = 3

-- All the segment lengths in one table
local seg_len = {
    [1] = ProtoField.uint16("myproto.seg_len_1", "seg_len_1", base.DEC),
    [2] = ProtoField.uint16("myproto.seg_len_2", "seg_len_2", base.DEC),
    [3] = ProtoField.uint16("myproto.seg_len_3", "seg_len_3", base.DEC)
}

-- All other fields in a generic pf (protocol fields) table
local pf = {
    v_speed = ProtoField.uint16("myproto.v_speed", "v_speed", base.DEC),
    n_iteration = ProtoField.uint16("myproto.n_iteration", "n_iteration", base.DEC)
}

-- https://stackoverflow.com/questions/1410862/concatenation-of-tables-in-lua
local function TableConcat(t1, t2)
    local i
    for i = 1, #t2 do
        t1[#t1 + 1] = t2[i]
    end
    return t1
end

myproto.fields = TableConcat(pf, seg_len)

function myproto.dissector(tvbuf, pinfo, tree)
    local offset = 0

    myproto_tree = tree:add(myproto, tvbuf(0, -1))
    for i = 1, N_ITERATION do
        myproto_tree:add(seg_len[i], tvbuf(offset, 2))
        offset = offset + 2
    end

    myproto_tree:add(pf.v_speed, tvbuf(offset, 2))
    myproto_tree:add(pf.n_iteration, tvbuf(offset + 2, 2))
end
Christopher Maynard
  • 5,702
  • 2
  • 17
  • 23