Using LUA dissectors, in what order of packets sub dissectors/chained dissectors are called?

asked 2021-02-25 09:48:46 +0000

TalH gravatar image

updated 2022-08-29 15:44:19 +0000

cmaynard gravatar image

I have seen something that is strange to me in the excision of chained dissectors using lua dissectors.

I am writing a LUA dissector for several protocols. I got a dissector for a layer above UDP (a middle layer) and a layer above that using another dissector (child dissector). I call the child dissector using the dissectortable:try function from the middle layer dissector.

Both the parent layer and the child layer have a counter I raise once per packet (I use: pinfo.visited to check if I visited the packet). While the parent layer (middle layer) counter counts the packets as expected, the child dissector packet counter does not count the packet in the right order. (I simulated several packets and the middle layer counts in ascending order while the child dissector does not match this order). So I concluded that, for some reason, the order of the dissection off the child dissector don't match the order of packets and the order of middle layer dissection.

In what order does the chained dissectors called by dissectortable:try function? Is the child dissector supposed to run immediately or the dissection is called at a later stage? How should I write counters or analyze data that is based on past packets in child layer protocols?

side note: I know how to use tables to pass data to other packet, but the problem is I do not know what is the previous packet that had the child protocol (I had hoped to use the counter to match the index for the packet pinfo.number as use that as a hash table for previous data, or something like that). My goal is to check changes from a current packet to the previous one.

Help is greatly appreciated. Thank you.

edit retag flag offensive close merge delete