This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

field from dissector not usable in lua scripts

3

Here's my basic dissector

foo_proto = Proto("foo","foo proto")
foo_proto.fields.bar = ProtoField.string("foo.bar","bar field")

function foo_proto.dissector(buffer,pinfo,tree) local subtree = tree:add(foo_proto,"Foo Protocol Data") subtree:add(foo_proto.fields.bar, pinfo.number) end

register_postdissector(foo_proto)

I use wireshark 1.4.4, I start wireshark and load my dissector in the Lua “Evaluate” window, my packet got dissected correctly and I can see my bar field under the foo proto.

My problem is that I can’t use foo.bar as a filter. When I click on “Expression…” the foo proto appears but it has not fields under. The only filter I can use is: foo

When try to evaluate:

  bar_f = Field.new("foo.bar")

I have:

[string "bar_f = Field.new("foo.bar")"]:1: bad argument #1
to 'new' (Field_new: a field with this name must exist)

Surprisingly when I use tshark with the option -T fields -e foo.bar and load the lua script, it works, pinfo.number is displayed.

How can I get my foo.bar field usable in my lua scripts ?

Thanks.

asked 21 Mar ‘11, 09:01

khshark's gravatar image

khshark
46114
accept rate: 0%

edited 21 Mar ‘11, 09:03


2 Answers:

1

I recreated your problem with Wireshark 1.4.6 on Mac OS X 10.6, but it actually works correctly on Windows XP SP3; Windows Wireshark lets me use foo.bar as a filter, and it evaluates Field.new("foo.bar") without error.

I would submit a bug.

answered 28 Apr '11, 09:41

bstn's gravatar image

bstn
3751415
accept rate: 14%

0

I can confirm the original posters problem using Version 1.6.2 (SVN Rev 38931 from /trunk-1.6) x64 under Windows 7 x64 (I used the evaluate function to run both commands)

answered 14 Sep '11, 05:55

wojtech's gravatar image

wojtech
1
accept rate: 0%