Ask Your Question
0

How to maintain a packetfile specific var?

asked 2022-12-08 02:51:58 +0000

wireschark gravatar image

updated 2022-12-10 07:40:36 +0000

Based on my testing (on macOS), Wireshark loads each Lua dissector for only once so the module's private (local) global vars are shared between packet files. Is there a way to distinguish between packetfiles so I can define packetfile specific vars?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2022-12-10 06:39:55 +0000

Guy Harris gravatar image

Currently, only one capture file can be open at a time in a single process running Wireshark (which is not a feature, especially in macOS, but I digress...), so there's no notion of packet file-specific variables anywhere in Wireshark.

What we do have, at least for C/C++ dissectors, is the ability for a dissector to register a routine to be called when a new capture file is opened, before any packets are read and dissected, and to register a routine to be called when the current capture file is closed.

We also have a version of that for Lua dissectors; to quote the documentation for the Proto class in the Wireshark Developer's Guide:

11.3.5.7. proto.init
Mode: Assign only.

The init routine of this dissector, a function you define.

The init routine of a dissector is called when a new capture file is opened and when it's closed (I think that's left over from before we had separate init and close routines for C/C++ dissectors).

So what you want is to (re-)initialize your "should change every time you open a new file" variables in your dissector's init routine.

edit flag offensive delete link more

Comments

doc should be updated

Done.

Guy Harris gravatar imageGuy Harris ( 2022-12-10 17:53:27 +0000 )edit
0

answered 2022-12-08 17:45:08 +0000

Chuckc gravatar image

Open issue: 11316: Lua: should have a way to get current capture filename/path in Lua

You could add a frame comment to frame/packet 1 and process according to it's value.
Comments can be added in the Wireshark gui or using editcap in a script.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-12-08 02:50:58 +0000

Seen: 183 times

Last updated: Dec 10 '22