Ask Your Question
0

Why does accessing FieldInfo.value disable search in info column?

asked 2024-10-22 13:24:48 +0000

Christian gravatar image

Hello,
I have the problem that the Wireshark-info-column-content of some of my Wireshark Lua PlugIns is not found by the Wireshark search field (Ctrl + f).
For example, if the info column contains "abcde" and I search for "abc" (without quotes) it is not found. But with other PlugIns this works.
I created a minimal PlugIn which shows that the search does not find the string if I do access the value of a FieldInfo.
If I don't do access the value, the search works.
(I assume) You can reprodue that with some packet caputre and this Lua PlugIn. Just toggle the variable "makeSearchDoesntWork" to see the bad and the good case:

local myProto = Proto("myproto", "My Protocol")
myProto.fields.Port = ProtoField.uint8("myproto.port", "Port", base.DEC)
local myField = Field.new("myproto.port")

function myProto.dissector(buffer, pinfo, tree)
    tree:add(myProto.fields.Port, buffer(0, 1))
    local makeSearchDoesntWork = false
    local myFieldInstance = myField()
    if makeSearchDoesntWork then
        local myValue = myFieldInstance.value
    end
    pinfo.cols.info = "abcde"
end

register_postdissector(myProto)

So why does accessing FieldInfo.value disable search in info column? Is it my fault or is it a bug in Wireshark?

My Wireshark: Wireshark 4.4.1 (v4.4.1-0-g575b2bf4746e).
My OS: Windows 10

Best Regards, Christian

edit retag flag offensive close merge delete

Comments

6.8. Finding Packets
What are your settings for the "Find"?

Chuckc gravatar imageChuckc ( 2024-10-22 14:04:13 +0000 )edit

The defaults:
"Packet list",
"String",
Case sensitive yes,
"Narrow (UTF-8 / ASCII)" which is disabled: I can't set a different value

Christian gravatar imageChristian ( 2024-10-22 14:16:38 +0000 )edit

A quick scan of the wslua code and nothing jumps out.
The handling of pinfo.cols doesn't follow the WSDG - the column is appended to not set to new value.
Please open an issue (ReportingBugs) on the Wireshark Gitlab Issues.

Chuckc gravatar imageChuckc ( 2024-10-22 15:43:18 +0000 )edit
  • the column is appended to not set to new value.

No, this part is fine. Confusingly, col_add_str is not an append, it replaces the value. (But copies the string, unlike col_set_str.

johnthacker gravatar imagejohnthacker ( 2024-10-22 21:28:08 +0000 )edit

@johnthackercol_add_str appends after a fence.
There is also an issue where _ws.col.info does not contain the same data as the Information column.
(I've reached my personal limit of open issues so was hoping @Christian would create a new one) :-)

I haven't look at the search code yet but it seems to look _ws.col.info.

No. Time    Source  Destination Protocol    Length  Info    col_info
1   0.000000    192.168.170.8   192.168.170.20  DNS 70  abcde   Standard query 0x1032 TXT google.com
2   0.000530    192.168.170.20  192.168.170.8   DNS 98  abcde   Standard query response 0x1032 TXT google.com TXT
3   4.005222    192.168.170.8   192.168.170.20  DNS 70  abcde   Standard query 0xf76f MX google.com
Chuckc gravatar imageChuckc ( 2024-10-22 21:44:26 +0000 )edit
see more comments

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-10-22 21:33:27 +0000

johnthacker gravatar image

This happens because myFieldInstance is nil when dissecting to get the columns when performing a Find on the columns. This is because the tree is a NULL tree, for speed. You can check tree.visible I think. You could also when registering your post dissector that you need the tree to always be visible, but it seems like overkill.

Anyway, your Lua dissector throws an error when dissecting with a NULL tree before setting the column. Unfortunately there's no traceback or logging added because it's in a special speedy column only dissection done for Find.

edit flag offensive delete link more

Comments

Thanks a lot @johnthacker (sorry, I can't vote, I have less than 15 points :-) )! Checking myFieldInstance for ~= nil solves my problem!

Is there a way to see the errors thrown while searching? How did you see this error?

Christian gravatar imageChristian ( 2024-10-23 05:22:22 +0000 )edit

Now I'm at the next problem: If the content of the info column depends on the value, which is not available while search engine calls the dissector, the search will not find this content.
For example, the value is 255 and added to the info colum. When I search for 255 I will not find it.
This part of your answer should address this, I think: "You could also when registering your post dissector that you need the tree to always be visible"
I added true as second argument of register_postdissector but this doesn't help. Is that what you meant?
Try to search for the integer that is shown at the end of the info column to reproduce:

local myProto = Proto("myproto", "My Protocol")
myProto.fields.Port = ProtoField.uint8("myproto.port", "Port", base.DEC)
local myField = Field.new("myproto.port")

function myProto.dissector(buffer, pinfo, tree)
    tree:add ...
(more)
Christian gravatar imageChristian ( 2024-10-23 05:58:54 +0000 )edit

Ah, I thought that would work but it doesn't. Try this instead, using add_packet_field instead of add, which returns the retrieved value immediately as a second return value (similar to the C dissection proto_tree_add_item_ret_XXX() functions):

function myProto.dissector(buffer, pinfo, tree)
    local myItem
    local makeSearchDoesntWork = true
    local myValue = -1
    myItem, myValue = tree:add_packet_field(myProto.fields.Port, buffer(0, 1), ENC_BIG_ENDIAN)
    local msg = "Search works"
    print(myItem.text)
    if makeSearchDoesntWork then
        if tree ~= nil then
            local myFieldInstance = myField()
            -- This line makes search working (for content that does not depend on myValue):
            if myFieldInstance ~= nil then
                --myValue = myFieldInstance.value
                msg = "value was accessed. Does search work??"
            else
                msg = "myFieldInstance is nil"
            end
        else
            msg = "tree is nil"
        end
    end
    pinfo.cols.info = msg .. " / abcde / " .. myValue
end

BTW, I believe you can still "accept" the answer even without upvoting.

johnthacker gravatar imagejohnthacker ( 2024-10-23 11:00:00 +0000 )edit

Thanks a lot @johnthacker ! This solves my problem completely and futhermore makes it much easier to access the values. No more need to create the Field's!

local myProto = Proto("myproto", "My Protocol")
myProto.fields.Port = ProtoField.uint8("myproto.port", "Port", base.DEC)
function myProto.dissector(buffer, pinfo, tree)
    local myItem, myValue = tree:add_packet_field(myProto.fields.Port, buffer(0, 1), ENC_BIG_ENDIAN)
    pinfo.cols.info = "abcde / " .. myValue
end
register_postdissector(myProto)
Christian gravatar imageChristian ( 2024-10-23 13:00:14 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2024-10-22 13:24:48 +0000

Seen: 137 times

Last updated: Oct 22

Related questions

Info column SMTP shows "| | |" instead of the protocol commands

cannot add details in info column

how to invert two bytes in lua script dissector ?

How do you search by "question" on the old ask.wireshark.org site?

Adjusting Bit order and Endianess in LUA between Dissectors

Error while creating a Lua listener in 2.4.2 with filter

Lua Dumper to variable

displaying only lines with needed string in search (and lines count)

http2 decrypted data in tshark lua script

Decode as LUA - how do I do that?