Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2024-07-11 17:37:32 +0000

Chuckc gravatar image

There is a more recent answer here as to why not but can't find it at the moment.
Here is a past answer (LUA dissector: update treeitem in earlier packet) and the project associated with it (Github: gaddman/wireshark-tcpextend)

Do your captures have any protocols that are decoded by a TCP heuristic?
If not, you could add your dissector to the TCP heuristic table and set TCP preference to run heuristics first. 

Frame 1: 88 bytes on wire (704 bits), 88 bytes captured (704 bits)
Linux cooked capture v1
Internet Protocol Version 4, Src: 192.168.0.2 (192.168.0.2), Dst: 10.130.0.2 (10.130.0.2)
Transmission Control Protocol, Src Port: 3003, Dst Port: 6689, Seq: 1, Ack: 1, Len: 32
Important EASYPOST Protocol
    EASYPOST data: ·······AP···
IPA protocol ip.access, type: RSL
Radio Signalling Link (RSL)
GSM CCCH - Immediate Assignment


-- EASYPOST.lua
-- Replace occurrences of "easypost/EASYPOST" with protocol/dissector name.
-- Grab and format fields as needed

-- Step 1 - document as you go. See header above and set_plugin_info().
local easypost_info =
{
    version = "1.0.0",
    author = "Good Coder",
    description = "Important EASYPOST stuff",
    repository = "Floppy in top drawer"
}

set_plugin_info(easypost_info)

-- Step 2 - create a protocol to attach new fields to
local easypost_p = Proto.new("easypost","Important EASYPOST Protocol")

-- Step 3 - add some field(s) to Step 2 protocol
local pf = { payload = ProtoField.string("easypost.payload", "EASYPOST data") }

easypost_p.fields = pf

-- Step 4 - create a Field extractor to copy packet field data.
easypost_payload_f = Field.new("tcp.flags.str")

-- Step 5 - create the postdissector function that will run on each frame/packet
function easypost_p.dissector(tvb,pinfo,tree)
    local subtree = nil

    print("in easypost_p")
    subtree = tree:add(easypost_p)

    -- copy existing field(s) into table for processing
    finfo = { easypost_payload_f() }

    if (#finfo > 0) then
        print("#finfo > 0")
        if not subtree then
            subtree = tree:add(easypost_p)
        end
        for k, v in pairs(finfo) do
            -- process data and add results to the tree
            local field_data = string.format("%s", v):upper()
            subtree:add(pf.payload, field_data)
        end
    end
end

-- Step 6 - register the new protocol as a heuristic
-- 240711 - https://ask.wireshark.org/question/35046/lua-script-add-a-new-field-in-the-default-tcp-dissector/
easypost_p:register_heuristic("tcp", easypost_p.dissector)