How to Grab Packets for a Lua Dissector Using Part of a Field

edit

There is no dissector table by that name. From tshark -G dissector-tables | grep btcommon, you'll only find (with master) these btcommon-related tables:

btcommon.eir_ad.entry.uuid      BT EIR/AD Service UUID  FT_STRING       BT Common       Decode As not supported
btcommon.eir_ad.manufacturer_company_id BT EIR/AD Manufacturer Company ID      FT_UINT16        BASE_HEX        BT Common       Decode As supported
btcommon.eir_ad.tds_organization_id     BT EIR/AD TDS Organization ID   FT_UINT8BASE_HEX        BT Common       Decode As supported

Do you mean these are the only ones that can be used with Lua? I've been able to use btcommon.eir_ad.entry.custom_uuid_128 as a filter in Wireshark. I can try using btcommon.eir_ad.entry.uuid, but what do I pass into BLE_table:add() when I only want to use part of the UUID to identify the packet?

Yes, btcommon.eir_ad.entry.custom_uuid_128 is a valid field and thus can be used as a Wireshark display filter, but it's not a a dissector table. From your use case, I don't think registering with btcommon.eir_ad.entry.uuid will work for you if you're only matching a part of the UUID. You may need to implement a Wireshark Postdissector instead, where you grab the btcommon.eir_ad.entry.custom_uuid_128 field, parse it, and only continue with your custom dissection if the portion of that field meets your criteria.

That's doable. What command would I need to just grab the btcommon.eir_ad.entry.custom_uuid_128 field?

You'd just use something like:

local custom_uuid_128 = Field.new("btcommon.eir_ad.entry.custom_uuid_128")

Maybe have a look at the IPv6 Postdissector I wrote as an example? See also a couple of other PostDissectors and some listed on the Examples page. And another on the Dissectors page. And another wireshark-postdissector.

The register_postdissector() is documented in section 11.3.8.1. of the Wireshark Developer Guide.

NOTE: There may be another solution, but I can't think of one.