Ask Your Question
0

“Apply as Column” for field in custom protocol in Wireshark

asked 2020-10-12 10:44:17 +0000

Adrian gravatar image

updated 2020-10-12 10:45:28 +0000

I've written a dissector in Lua for my custom protocol:

local myproto = Proto("MyProto", "My Custom Protocol")
myproto.fields.msg_counter = ProtoField.uint8("myproto.msg_counter", "Message counter", base.DEC)

function myproto.dissector(tvbuf, pktinfo, root)
  pktinfo.cols.protocol = myproto.name
  if root.visible then
    root:add_le(myproto.fields.msg_counter, tvbuf(10, 1))
  end
end

local udp_port = DissectorTable.get("udp.port")
udp_port:add(5432, myproto)

That works, the "Message counter" field and its value are correctly displayed in the tree area. But when I right click the field and choose "Apply as Column", the column is added but remains empty:

Wireshark screenshot

How can I fix this, so that the field values are displayed in the column view? I'm using Wireshark 3.2.3. Thanks in advance!

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2020-10-12 17:07:02 +0000

Chuckc gravatar image

Works if I comment out the "visible" check. (tvbuf values different for test data I created)

-- if root.visible then
        root:add_le(myproto.fields.msg_counter, tvbuf(0, 2))
--  end
edit flag offensive delete link more

Comments

Wireshark dissection passes explained.
Wireshark Lua API mentions that tree is only created as needed.

Chuckc gravatar imageChuckc ( 2020-10-12 17:51:04 +0000 )edit

Thanks, that worked! But now packet parsing is painfully slow, it takes several minutes per 100k captured packets (and my application generates 36k per second), which is why I added the "visible" check in the first place. Is there a way to avoid dissecting all packets immediately, while still allowing the values in the columns to be displayed?

Adrian gravatar imageAdrian ( 2020-10-12 18:12:24 +0000 )edit

11.7.2.11. treeitem:referenced(protofield)

  if root:referenced(myproto.fields.msg_counter) then
    root:add_le(myproto.fields.msg_counter, tvbuf(0, 2))
  end
Chuckc gravatar imageChuckc ( 2020-10-12 19:42:44 +0000 )edit

I can see that referenced reduces calls to add_le but working with a small capture here.
You might also move setting the protocol column inside the if statement to reduce workload.

  pktinfo.cols.protocol = myproto.name
Chuckc gravatar imageChuckc ( 2020-10-12 19:45:35 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-10-12 10:44:17 +0000

Seen: 40 times

Last updated: Oct 12