how to get tcp reassembled length in lua
I have some out-of-order TCP packets, and when the correctly sequenced packets are received, Wireshark's TCP reassembly is able to correctly reorder this data and obtain the correct data length. However, when I try to access the reassembled TCP data in Lua using Field.new("tcp.reassembled.data"), Field.new("tcp.reassembled.length"), Field.new("tcp.segments"), etc., they always return nil. So, how can I access these fields to get the reassembled TCP data?
local log_enabled=true
local max_file_size=10 * 1024 --10M
local listen_port=514
local buf=""
local tcp_dstport=Field.new("tcp.dstport")
local tcp_srcport=Field.new("tcp.srcport")
local tcp_stream=Field.new("tcp.stream")
local tcp_len=Field.new("tcp.len")
local tcp_reassembled_len=Field.new("tcp.reassembled.length")
local tcp_segments=Field.new("tcp.segments")
local data_field = Field.new("data.data")
local function get_time()
return os.date("%Y%m%d_%H%M%S",os.time())
end
local function get_file_path(stream_number)
return string.format("C:\\Users\\usr\\Downloads\\Syslog_Stream_%s_%s.log", stream_number,get_time())
end
local relp_proto = Proto("RELP", "RELP Protocol")
_G.MAXSTRINGSZ = 0
-- Define fields for RELP protocol
local relp_fields = {
syslog_records = ProtoField.string("relp.syslog_records", "Syslog Records")
}
local file
if log_enabled then
file=io.open(get_file_path(tcp_stream),"w")
end
function log(content)
if log_enabled then
file:write(content)
end
end
relp_proto.fields = relp_fields
function relp_proto.init()
buf=""
end
function relp_proto.dissector(tvbuf, pinfo, tree)
--if pinfo.visited ==true then
log("pinfo:"..pinfo.number)
if tcp_reassembled_len()~=nil then
log(" tcp assembled_in:"..tcp_reassembled_len().value.."\n")
else
log(" tcp len:"..tcp_len().value.."\n")
end
end
tcp_table = DissectorTable.get("tcp.port")
tcp_table:add(listen_port, relp_proto)
Can you share code that's not working or try this sample to see if it works:
. -- EASYPOST.lua -- Replace occurrences of "easypost/EASYPOST" with protocol/dissector name. -- Grab and format fields as needed -- Step 1 - document as you go. See header above and set_plugin_info(). local easypost_info = { version = "1.0.0", author = "Good Coder", description = "Important EASYPOST stuff", repository = "Floppy in top drawer" } set_plugin_info(easypost_info) -- Step 2 - create a protocol to attach new fields to local easypost_p = Proto.new("easypost","Important EASYPOST Protocol") -- Step 3 - add some field(s) to Step 2 protocol local pf = { payload = ProtoField.string("easypost.payload", "EASYPOST data") } easypost_p.fields = pf -- Step 4 - create a Field extractor to copy packet field data. easypost_payload_f = Field.new("tcp.reassembled.length") -- Step 5 - create the postdissector function that will run on each frame/packet function easypost_p.dissector(tvb,pinfo,tree) local subtree = nil -- copy existing field(s) into table ...(more)Add my script.
I've started a RELP page on the Wireshark wiki.
There is a sample capture - 240913_RELP_syslog.pcapng.
Can you recreate the issue with that capture file so we have a common test environment?
(If it doesn't display the issue you're trying to solve can you suggest a config or test traffic so that I can update the capture)
My problem is solved. When I use a DissectorTable.get("tcp.port"), it will work to get the tcp payload from the tvb passed to dissector function. However, if we use tap, then we can use tcp_data=Field.new("tcp.reassembled.data"), and then call tcp_data().range. I don't know the reason of this differential. But when I deal with these two different scenarios in this way, it indeed behaves as expected.