Tshark seems to not apply dissectors since 4.2.x when filtering output
I'm stumbling over a behavior which seems to be different in Wireshark 4.2+ compared to 4.0.16 and older. It seems like Tshark 4.2+ is not applying our custom dissectors when converting to text file formats, whereas Wireshark is correctly applying the same dissectors to nicely view the exact same pcapng files. With Wirehark 4.0.x, the dissectors where applied also when converting to text file formats
What I am doing:
- Capture packets with tshark:
%PROGRAMFILES%\Wireshark\tshark.exe -w [output pcapng file] -i [SPI interface 1] -i [SPI interface 2] -n - Convert the pcapng from step 1 with tshark to a CSV file:
%PROGRAMFILES%\Wireshark\tshark.exe -r [pcapng file from above] -T fields -e frame.number -e _ws.col.Protocol -e _ws.col.Info -E header=y -E separator=, -E quote=d -E occurrence=fand pipe the output into a file. - I parse the CSV file using code outside of Wireshark
What happens:
With Wireshark 4.0.x, the CSV file will contain correctly dissected packets, i.e., the columns _ws.col.protocol and _ws.col.info in the CSV file contain useful data.
With Wireshark 4.2.9, the CSV file contains nothing useful. The column _ws.col.protocol contains the string "Split SPI" for every single of thousands of packets, while _ws.col.info is just an empty string for every single packet.
No errors are printed to stderr.
What I expect to happen:
Wireshark 4.2.9 should behave like 4.0.16 and older. I could not find anything related to this in the 4.2 release notes. If something is wrong with the dissectors, I would prefer to see an error message.
Additional info:
Wireshark works fine, only Tshark text output is affected
If I open the pcapng file (no matter whether it was traced with Wireshark 4.0.16 or 4.2.9 or 4.4.2) with any Wireshark version (both 4.0.16 and 4.2.9 and 4.4.2 work fine), the dissectors are correctly applied. I can see that both the "Protocol" and the "Info" column contain useful information, the same as the CVS files did with Tshark 4.0.16.
(For Wireshark 4.4.2 I had to adapt some of the lua code because the dissectors were very old and incompatible with the newer lua versions in Wireshark 4.4.x)
Same problem with JSON instead of CSV
The problem is present also when switching the output format to JSON using -T json. In this case also the contents of the JSON file look like the dissector is not working or not applied.
Questions:
- Am I missing a change in Wireshark?
- How would I start debugging this problem? Tshark doesn't print any errors or warnings.
Can you share
frame.protocolsfrom a known good packet in Wireshark.Both in a good and in a bad case,
frame.protocolsissplitspiaccording to the Wireshark GUI.splitspiis the simplest (no dependencies) of the protocols defined in our own Dissector lua files. It splits SPI packets into MISO and MOSI and is the underlying protocol which the other protocols are reusing in their code.Is this part of the dissector working properly?
It's easiest when we can see a capture file and the lua code.
Assuming these are proprietary we'll need to come up with a shared example to look at.
It's probably something related to not having a visible tree but there's other possibilities I suppose. What happens if you try adding a filter containing your protocol or other fields you expect to show up (or the columns?)
Also, are your Lua dissectors postdissectors, or are they ordinary dissectors? I imagine this won't work with postdissectors.