Ask Your Question

How to get the raw bytes of a data link address in lua dissector pinfo (pinfo.dl_src or pinfo.dl_dst)?

asked 2020-09-24 11:14:46 +0000

a2kr gravatar image

Suppose the destination address of the ethernet frame is {0x00, 0x01, 0x02, 0x03, 0x04, 0x05}, how do I get the address as raw bytes similar to tvb? It currently displays it with name resolution and : in between the address bytes in a lua dissector. This address information comes in pinfo.dl_dst field.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2020-09-28 19:39:50 +0000

cmaynard gravatar image

I don't think this is possible using pinfo.dl_src and pinfo.dl_dst. Even if you disable MAC address name resolution, the :'s will still be inserted between the bytes. You should be able to achieve this using field extractors of the eth.src and eth.dst fields though. For example:

local eth_post = Proto("EthPost", "Ethernet Postdissector")

local pf = {
    eth_dst = ProtoField.bytes("eth_post.dst", "Destination"),
    eth_src = ProtoField.bytes("eth_post.src", "Source")
eth_post.fields = pf

local eth_src ="eth.src")
local eth_dst ="eth.dst")

function eth_post.dissector(tvbuf, pinfo, tree)
    if eth_dst()() ~= nil and eth_src() ~= nil then
        local eth_post_tree = tree:add(eth_post, "Ethernet Postdissector")
        local eth_dst_ex = {eth_dst()}
        local eth_src_ex = {eth_src()}
        local i
        local v

        for i,v in ipairs(eth_dst_ex) do
            eth_post_tree:add(pf.eth_dst, v.range)
        for i,v in ipairs(eth_src_ex) do
            eth_post_tree:add(pf.eth_src, v.range)

edit flag offensive delete link more


Thanks a lot. That works. So, the trick is to use eth.src, eth.dst fields instead of pinfo.dl_src and pinfo.dl_dst.

a2kr gravatar imagea2kr ( 2020-09-29 02:56:30 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2020-09-24 11:14:46 +0000

Seen: 47 times

Last updated: Sep 28