Ask Your Question
0

Dissector doesn't see retransmission packets

asked 2021-09-16 05:11:44 +0000

sezb51 gravatar image

updated 2021-09-16 08:00:57 +0000

Guy Harris gravatar image

Hello,

my dissector is registered to decode a bunch of ports:

tcp_table = DissectorTable.get ("tcp.port")
tcp_table:add (9000, S8HR_proto)
tcp_table:add (9001, S8HR_proto)
tcp_table:add (9002, S8HR_proto)

Sometime wireshark marks traffic on port 9001 as [TCP Retransmissions] and in that case the LUA dissector is either ignored or packet decode gets overwritten so the expected content remains buried in the "TCP payload".

Is there a chance to still have LUA dissector working in case of TCP Retransmissions also ?

Thx!

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-09-16 08:03:07 +0000

Guy Harris gravatar image

This has nothing to do with Lua; it has to do with the way the TCP dissector handles retransmissions.

If it's a retransmission, the original packet should have been dissected, so there should be no need to dissect the retransmission.

If it's not a retransmission, that's presumably an indication that TCP is mistakenly identifying it as a retransmission.

edit flag offensive delete link more

Comments

For some reason wireshark was mistakenly identifying port 9001 traffic as retransmission without showing the original packet first... maybe the far end server was doing fuzzy things on their ACK or there was some temporary different path selected... that would require a bit of analysis on the captured pcap.

Anyway it seems that wireshark either don't send retransmission packets through dissector or it does re-evaluate it internally overwriting the dissector script output.

So that is just out of my curiosity since I agree it was a corner case scenario and should not really happens.

sezb51 gravatar imagesezb51 ( 2021-09-16 12:33:15 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-09-16 05:11:44 +0000

Seen: 366 times

Last updated: Sep 16 '21

Related questions

Custom sub protocols registering with a custom protocol's dissector table

Lua display filter in Listener.new

Lua - Get hex value of a field

how to invert two bytes in lua script dissector ?

Adjusting Bit order and Endianess in LUA between Dissectors

Error while creating a Lua listener in 2.4.2 with filter

Lua Dumper to variable

http2 decrypted data in tshark lua script

Decode as LUA - how do I do that?

LUA: dissector wide global table