field from dissector not usable in lua scripts

Question

Here's my basic dissector

foo_proto = Proto("foo","foo proto")
foo_proto.fields.bar = ProtoField.string("foo.bar","bar field")

function foo_proto.dissector(buffer,pinfo,tree)
   local subtree = tree:add(foo_proto,"Foo Protocol Data")
   subtree:add(foo_proto.fields.bar, pinfo.number)
end

register_postdissector(foo_proto)

I use wireshark 1.4.4, I start wireshark and load my dissector in the Lua "Evaluate" window, my packet got dissected correctly and I can see my bar field under the foo proto.

My problem is that I can't use foo.bar as a filter. When I click on "Expression..." the foo proto appears but it has not fields under. The only filter I can use is: foo

When try to evaluate:

  bar_f = Field.new("foo.bar")

I have:

[string "bar_f = Field.new("foo.bar")"]:1: bad argument #1 
 to 'new' (Field_new: a field with this name must exist)

Surprisingly when I use tshark with the option -T fields -e foo.bar and load the lua script, it works, pinfo.number is displayed.

How can I get my foo.bar field usable in my lua scripts ?

Thanks.

Answer 1

1

I recreated your problem with Wireshark 1.4.6 on Mac OS X 10.6, but it actually works correctly on Windows XP SP3; Windows Wireshark lets me use foo.bar as a filter, and it evaluates Field.new("foo.bar") without error.

I would submit a bug.

link

answered 28 Apr '11, 09:41

bstn
375●1●4●15
accept rate: 14%

Answer 2

0	I can confirm the original posters problem using Version 1.6.2 (SVN Rev 38931 from /trunk-1.6) x64 under Windows 7 x64 (I used the evaluate function to run both commands) link answered 14 Sep '11, 05:55 wojtech 1 accept rate: 0%

field from dissector not usable in lua scripts

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions