Calling a chained dissector on a well-known port

I am currently trying to write a Lua chained dissector that would take place on a well-known port. I first wrote it as a post-dissector, and everything was working, but for some reason, the dissector function is never called for a chained dissector.

For test purposes, the code is as simple as this :

-- declare our protocol
httpProto        = Proto("http","http")

print("out of  the dissector")
--======================-- create a functions to dissect it --======================--

function httpProto.dissector( buffer, pinfo, tree )
   print("In the dissector")  

end
-- load the tcp.port table

tcp_table = DissectorTable.get( "tcp.port" )

-- register our protocol to handle the chosen port

tcp_table:add( 80, httpProto )

I ran it using tshark with a sample HTTP capture from the Wireshark site (http.cap), but the message "In the dissector" is never displayed:

C:\Program Files (x86)\Wireshark>tshark.exe -r http.cap  
__out of  the dissector__  
  1   0.000000 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [SYN] Seq=0 Win=8760 Len=0 MSS=1460 SACK_PERM=1 80 0  
  2   0.911310 65.208.228.223 -> 145.254.160.237 TCP http > tip2 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380 SACK_PERM=1 3372 0  
  3   0.911310 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [ACK] Seq=1 Ack=1 Win=9660 Len=0 80 0  
  4   0.911310 145.254.160.237 -> 65.208.228.223 HTTP GET /download.html HTTP/1.1  80 0  
  5   1.472116 65.208.228.223 -> 145.254.160.237 TCP http > tip2 [ACK] Seq=1 Ack=480 Win=6432 Len=0 3372 0  
  6   1.682419 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0  
  7   1.812606 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [ACK] Seq=480 Ack=1381 Win=9660 Len=0 80 0  
  8   1.812606 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0  
  9   2.012894 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [ACK] Seq=480 Ack=2761 Win=9660 Len=0 80 0  
 10   2.443513 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0  
 11   2.553672 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0  
 12   2.553672 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [ACK] Seq=480 Ack=5521 Win=9660 Len=0 80 0  
 13   2.553672 145.254.160.237 -> 145.253.2.203 DNS Standard query A pagead2.googlesyndication.com 53  
 14   2.633787 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0  
 15   2.814046 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [ACK] Seq=480 Ack=6901 Win=9660 Len=0 80 0  
 16   2.894161 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0  
 17   2.914190 145.253.2.203 -> 145.254.160.237 DNS Standard query response CNAME pagead2.google.com CNAME pagead.google.akadns.net A 216.239.59.104 A
 216.239.59.99 3009  
 18   2.984291 145.254.160.237 -> 216.239.59.99 HTTP GET /pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_
as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666
633 HTTP/1.1  80 2  
[...]

However, if I change the code in order to bind it to an "empty" port (as follows):

[...]
-- load the tcp.port table  
tcp_table = DissectorTable.get( "tcp.port" )  
-- register our protocol to handle the chosen port  
tcp_table:add( 1756, httpProto )

...and then I feed tshark with a trace that contains a packet from this port, I can see my "In the dissector":

C:\Program Files (x86)\Wireshark>tshark.exe -r test1756Packets.pcap  
__out of  the dissector__  
__In the dissector__  
  1   0.000000   10.1.0.122 -> 10.2.17.199  TCP 63545 > capfast-lmd [PSH, ACK] Seq=1 Ack=1 Win=64164 Len=20 1756 0  
__In the dissector__  
  2   0.006478  10.2.17.199 -> 10.1.0.122   TCP capfast-lmd > 63545 [PSH, ACK] Seq=1 Ack=21 Win=1664 Len=64 63545 0

I am running Wireshark 1.6.4 (32- and 64-bit, I tried both) on Windows 7 (64-bit). Can you help me find what am I doing wrong?

asked 22 Dec '11, 12:26

Mathieu
14●1●1●3
accept rate: 0%

edited 22 Dec '11, 16:30

helloworld
2.6k●2●17●39

One Answer:

oldest newest most voted

The problem is that you're trying to declare a dissector with an existing name; there's already a dissector named "http". You should see the error when you try to load the script:

$ tshark -Xlua_script:test.lua -i en0 -R "http"
tshark: Lua: Error during loading:
 [string "test.lua"]:2: bad argument #1 to 'Proto' (Proto_new: there cannot be two protocols with the same name)

Also, as is, the code shown in your question isn't actually a chained dissector because it doesn't call the original dissector. I'm guessing that was just a copy-and-paste mistake.

With the appropriate changes (bold) in test.lua:

-- declare our protocol
httpProto        = Proto("httpwrap", "HTTP wrapper")
print("out of  the dissector")

--======================-- create a functions to dissect it --======================--
function httpProto.dissector( buffer, pinfo, tree )
   print("In the dissector")
   orig_http_dis:call( buffer, pinfo, tree ) 
end

-- load the tcp.port table
tcp_table = DissectorTable.get( "tcp.port" )

orig_http_dis = tcp_table:get_dissector( 80 )

-- register our protocol to handle the chosen port
tcp_table:add( 80, httpProto )

...you should see the expected output from your chained dissector:

$ tshark -Xlua_script:test.lua -R "http" -r http.cap
out of  the dissector
In the dissector
  0.911310 145.254.160.237 -> 65.208.228.223 HTTP 533 GET /download.html HTTP/1.1 
In the dissector
  1.682419 65.208.228.223 -> 145.254.160.237 HTTP/XML 1434 HTTP/1.1 200 OK 
In the dissector
[...]

link

answered 22 Dec '11, 17:36

helloworld
2.6k●2●17●39
accept rate: 27%

I am sorry you are right, I changed the Proto field to make it more verbose and I didn't try to rerun the script. I removed the call to the original dissector to make it as simple as possible.

I copy/pasted your exact script that you gave me, but I get the same output:

C:\Program Files (x86)\Wireshark>tshark.exe -r http.cap  
__out of  the dissector__  
  1   0.000000 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [SYN] Seq=0 Win=8760 Len=0 MSS=1460 SACK_PERM=1 80 0  
  2   0.911310 65.208.228.223 -> 145.254.160.237 TCP http > tip2 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380 SACK_PERM=1 3372 0  
  3   0.911310 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [ACK] Seq=1 Ack=1 Win=9660 Len=0 80 0  
  4   0.911310 145.254.160.237 -> 65.208.228.223 HTTP GET /download.html HTTP/1.1  80 0  
  5   1.472116 65.208.228.223 -> 145.254.160.237 TCP http > tip2 [ACK] Seq=1 Ack=480 Win=6432 Len=0 3372 0  
  6   1.682419 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0  
  7   1.812606 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [ACK] Seq=480 Ack=1381 Win=9660 Len=0 80 0  
  8   1.812606 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0  
  9   2.012894 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [ACK] Seq=480 Ack=2761 Win=9660 Len=0 80 0  
 10   2.443513 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0  
 11   2.553672 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0  
 12   2.553672 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [ACK] Seq=480 Ack=5521 Win=9660 Len=0 80 0  
 13   2.553672 145.254.160.237 -> 145.253.2.203 DNS Standard query A pagead2.googlesyndication.com 53  
 14   2.633787 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0  
 15   2.814046 145.254.160.237 -> 65.208.228.223 TCP tip2 > http [ACK] Seq=480 Ack=6901 Win=9660 Len=0 80 0  
 16   2.894161 65.208.228.223 -> 145.254.160.237 TCP [TCP segment of a reassembled PDU] 3372 0  
 17   2.914190 145.253.2.203 -> 145.254.160.237 DNS Standard query response CNAME pagead2.google.com CNAME pagead.google.akadns.net A 216.239.59.104 A
 216.239.59.99 3009  
 18   2.984291 145.254.160.237 -> 216.239.59.99 HTTP GET /pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_
as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666
633 HTTP/1.1  80 2  
[...]

The function httpProto.dissector(...) really seems to never be called. It is always the default http dissector that is called as if taking its place in the DissectorTable doesn't work.

(23 Dec '11, 07:56) Mathieu

What version of Wireshark/TShark are you running? I just tried my script successfully from Windows 7 with TShark 1.7.0 (SVN 39768). I even used the plugins directory to avoid explicitly specifying the script (as you are doing).

C:\temp>tshark -R "http" -r http.cap
out of  the dissector
In the dissector
  4   0.911310 145.254.160.237 -> 65.208.228.223 HTTP 533 GET /download.html HTTP/1.1
In the dissector
  6   1.682419 65.208.228.223 -> 145.254.160.237 HTTP/XML 1434 HTTP/1.1 200 OK
In the dissector
  8   1.812606 65.208.228.223 -> 145.254.160.237 HTTP 1434 Continuation or non-HTTP traffic

(23 Dec '11, 13:19) helloworld

Your answer

toggle preview

community wiki

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

dissector ×211
lua ×121
http ×119
chained-dissector ×2

Asked: 22 Dec '11, 12:26

Seen: 1,053 times

Last updated: 03 Jan '12, 06:43

Calling a chained dissector on a well-known port

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions