Related packet symbols in Lua dissector

asked 2021-05-21 07:02:08 +0000

Glupsch21
3 ●2 ●4 ●5

updated 2021-05-21 14:25:45 +0000

11115 ●11 ●317 ●165 https://www.igt.com/

Hi, I am developing a dissector in Lua for our own protocol. I was wondering if it is possible to tell Wireshark which packets are related to which in a Lua dissector, so that it marks them with the different related packet symbols. For example, signal that a packet is a request and another one is a response or something like that. Is that possible?

I am thinking about the packet symbols as shown here: https://www.wireshark.org/docs/wsug_h...

Thank you

edit retag flag offensive close merge delete

add a comment

3 Answers

Sort by » oldest newest most voted

answered 2021-05-21 14:24:43 +0000

cmaynard

11115 ●11 ●317 ●165 https://www.igt.com/

As far as I'm aware, this isn't possible yet, but Issue 15396 - Add Lua support for tracking conversations. is tracking it.

edit flag offensive delete link

add a comment

answered 2021-05-21 09:44:47 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23835 ●4 ●973 ●227 https://www.wireshark.org

For C-based dissectors, track the requests and responses (usually via conversations which I don't know how to do in Lua), and then add fields to the tree to say how the current frame is tied to the other, e.g.

For the request, add a field indicating the response is in frame x with the field type set to FT_FRAMENUM, and the FRAME_NUM type set to T_FRAMENUM_RESPONSE
For the response, add a field indicating the request is in frame x with the field type set to FT_FRAMENUM, and the FRAME_NUM type set to T_FRAMENUM_REQUEST

Some details are in README.request_response_tracking.

For Lua, create the ProtoField with type ftypes.FRAMENUM and the value string one of frametype.REQUEST or frametype.RESPONSE, see here for more info on the Protofield options