How to aquire treenode name from tree in post-dissector?

asked 2021-05-31 13:05:20 +0000

NCTuser gravatar image

updated 2021-06-07 11:30:08 +0000

I would like to write a lua script which performs some analysis on an EtherCAT capture file capture by Wireshark. The protocol is EtherCAT and and EtherCAT frame can contain many datagrams which are represented as treenodes by the dissector. I would like to loop over treenodes (datagrams) to find a specific one.

I have tried to modify Hadriel's post-dissector example and I used it in tshark but the script breaks down at all_field_infos(). The "Treefields query:" is printed out but "... succeeded!" missing. What could be wrong?

How I use the script: tshark.exe -r ecat.pcapng -X lua_script:extarct.lua

 -- calling tostring() on random FieldInfo's can cause an error, so this func handles it
 local function getstring(finfo)
    local ok, val = pcall(tostring, finfo)
    if not ok then val = "(unknown)" end
    return val
 end

 -- our fake protocol
 local exproto = Proto.new("extract", "Data Extractor")

 function exproto.dissector(tvbuf, pktinfo, tree)

    print("")
    print("Actual packet no: " .. pktinfo.number .. " Length: " .. pktinfo.len .. " bytes")

    print("Call ESL dissector...")
    Dissector.get("esl"):call(tvbuf, pktinfo, tree)
    print("... succeeded!")

    if tree == nil then
        print("Tree is nil!")
    else
        print("Treefields query:")
        local TreeFieldInfo = { all_field_infos() }
        print("... succeeded!")

        if TreeFieldInfo == nil then
            print("Treefield info is nil!")
        else
            -- Processing fields to find a datagram and aquire data from it.
            for ix, finfo in ipairs(TreeFieldInfo) do
                print("\t[" .. ix .. "] " .. finfo.name .. " = " .. getstring(finfo) .. "\n")
            end          
        end
    end
 end

 -- register it as a postdissector, and force all fields to be generated
 register_postdissector(exproto, true)
edit retag flag offensive close merge delete

Comments

According to this stackoverflow topic I thought the ESL (EtherCAT Switch Link) dissector is not called I put a dissector call into the exproto dissector in my lua script but it did not help, the situation is the same.

https://stackoverflow.com/questions/4...

print("Call ESL dissector...")
Dissector.get("esl"):call(tvbuf, pktinfo, tree)
print("... succeeded!")
NCTuser gravatar imageNCTuser ( 2021-06-02 07:12:53 +0000 )edit

I printed the tree type and I got these:

print ("Tree type: " .. type(tree))
print (tree)

Tree type: userdata

TreeItem: expired=false, has item=false, has subtree=false, they are the same

Does it say that the tree is empty? Could it be the cause that the all_field_infos() fails?

NCTuser gravatar imageNCTuser ( 2021-06-07 11:37:39 +0000 )edit
add a comment