Ask Your Question
0

How do you pass arguments to subdissectors in Lua?

asked 2019-07-19 23:15:43 +0000

akwardchit gravatar image

updated 2020-10-16 15:41:16 +0000

cmaynard gravatar image

I have one Lua dissector that calls a subdissector, as so:

second_dissector = Dissector.get("second_dissector")
range = tvbuf:range(hdr_size)
newtvb = range:tvb()
num_bytes = second_dissector:call(newtvb, pktinfo, root)

The dissector call works so far, but now I want to pass an additional argument to the subdissector (a value I dissected in the outer dissector). How do I do this? I've tried adding a fourth argument to my dissector call, but that did not work.

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
0

answered 2019-07-22 18:38:15 +0000

Stig gravatar image

You can use the pinfo.private table to send values from one Lua dissector to another. The values are available using pinfo.private.<key>. It's possible to use this datatypes: nil, boolean, number and string, but every value is converted to string so numbers must be converted back using tonumber() on use. Boolean is either nil or an empty string.

From your example set pktinfo.private.the_value like this:

second_dissector = Dissector.get("second_dissector")
range = tvbuf:range(hdr_size)
newtvb = range:tvb()
pktinfo.private.the_value = 42
num_bytes = second_dissector:call(newtvb, pktinfo, root)

Then in second_dissector fetch it with something like this:

local second_dissector(buffer, pinfo, tree)
    if tonumber(pinfo.private.the_value) == 42 then
        -- do something specific for this value
    end
end
edit flag offensive delete link more

Comments

I was confused by this because the documentation states that the private data is Retrieve only:

11.5.5.29. pinfo.private
Mode: Retrieve only.

Access to the private table entries.

... Of course I was wondering how one could ever set it if it was Retrieve only. Does the documentation need to be changed so that reads, Mode: Retrieve or assign. instead? Or am I missing something?

cmaynard gravatar imagecmaynard ( 2019-07-22 19:57:22 +0000 )edit

It seems ugly to convert to a string and back (i.e. I should be able to just pass the value). I used @cmaynard 's solution for now.

I was also confused by the retrieve only specification in the documentation

akwardchit gravatar imageakwardchit ( 2019-07-23 18:55:18 +0000 )edit

@cmaynard yes - the documentation needs to be expanded. Maybe even add "@Stig's answer".
pinfo.private returns a PrivateTable which has WSLUA_META for __index and __newindex.

WSLUA_META PrivateTable_meta[] = {
    WSLUA_CLASS_MTREG(PrivateTable,index),
    WSLUA_CLASS_MTREG(PrivateTable,newindex),
    WSLUA_CLASS_MTREG(PrivateTable,tostring),
    { NULL, NULL }
};

Maybe if __index and __newindex were added to 11.5.6. PrivateTable ?

Chuckc gravatar imageChuckc ( 2022-06-29 17:39:17 +0000 )edit
0

answered 2019-07-20 15:29:43 +0000

cmaynard gravatar image

The following isn't really a generic method of passing data between dissectors per se, but it can work in many cases. If the first dissector has already added a field, say, first.foo, then the second dissector can use a field extractor to obtain the value of that field.

For example, within the second dissector, you might have something like this:

local first_foo_ex = Field.new("first.foo")

local second.dissector(tvbuf, pinfo, tree)
    if first_foo_ex().value == 1 then
        -- do something specific for this value
    else
        -- do something else for any other value
    end
end

If this method doesn't work for you, or you're looking for a more generic method of passing data, then @grahamb's suggestion of opening a Wireshark bug report to add Lua support for passing data between dissectors is the better answer.

(Of course, if the data is needed for conversation tracking, then there's already a Wireshark enhancement bug filed for adding conversation support to Lua, namely Bug 15396, so a new bug report may not be appropriate in this case.)

edit flag offensive delete link more

Comments

I am working with ProtoFields, so I do not think I can get the value in this way.

akwardchit gravatar imageakwardchit ( 2019-07-22 15:23:57 +0000 )edit

Yes, that's exactly what first_foo_ex = Field.new("first.foo") will do. It provides the second dissector with a method for accessing the proto field data added to the proto tree by the first dissector. Have you tried this? You can post some code snippets if it's not working for you so we can see what it is you're doing and how to help fix it if it's not working.

cmaynard gravatar imagecmaynard ( 2019-07-22 15:49:32 +0000 )edit

Okay, I had to make sure to register my first dissector first so that the field exists when I define my second dissector. That works for now, but long term ideally I should be able to pass data so that its independent of the order in which I register the dissectors.

akwardchit gravatar imageakwardchit ( 2019-07-23 18:53:10 +0000 )edit

@akwardchit, This solution is very generic and can be used of already known data. I've used Field.new("udp.length") to get some data from the UDP level to my dissector. I guess you would be able to use this for issue for some other issues you may face.

@cmaynard, I think that this should be added to the wireshark LUA documentation.

BMWE gravatar imageBMWE ( 2020-10-16 15:06:46 +0000 )edit

I think @Stig's answer is the best one for sending data from one Lua dissector to another and it doesn't require that the data is even added to the tree as a field, whereas this solution does. However, if you know there's a field that has been added to the tree for any arbitrary protocol, then this is a generic way to gain access to that data. So it all depends on your use case. Field extractors are already documented in the Wireshark Developer's Guide.

cmaynard gravatar imagecmaynard ( 2020-10-16 15:47:28 +0000 )edit
0

answered 2019-07-20 09:10:18 +0000

grahamb gravatar image

Unfortunately the Lua API doesn't support the standard (C-Based) dissector parameter of data used to pass arbitrary data into a dissector.

There may be another way I'm not aware of, but absent that an enhancement request should be raised on the Wireshark Bugzilla to add this to the Lua API.

edit flag offensive delete link more

Comments

akwardchit gravatar imageakwardchit ( 2019-07-23 19:00:24 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-07-19 23:15:43 +0000

Seen: 1,738 times

Last updated: Oct 16 '20