Ask Your Question
0

Looking for strategies when Lua dissectors are getting too big

asked 2025-01-08 00:04:35 +0000

tasty_sprout gravatar image

updated 2025-01-08 00:05:04 +0000

Hey there!

While working on my first dissector I hit Wireshark's and Lua's ressource constraints. I used up all the 200 local variables at ProtoFields, and from the looks I still have use for at least 200+ variables. At the moment the dissector has about 2000 lines of code, and I covered roughly 20% of the protocol.

I get error messages like these:

  • [..] too many local variables (limit is 200) ..
  • [..] function or expression too complex near ..

The second error is apparently from the Lua VM. According to this SO comment the Lua VM has (only) 255 registers: https://stackoverflow.com/q/54609218

There is potential to reduce the number of local variables within functions that get referenced by proto.dissector() - but the readability of the code will suffer, and I'm not sure if these non-ProtoField local variables are contributing to the exhaustion after all. Nevertheless such an optimization won't free nearly enough variables to cover the remaining 80% of the protocol.

I found this posting in which cmaynard suggested putting the variables in a Lua table but the example wasn't verbose enough for me to successfully apply. I tried putting ProtoFields in a table but I failed unpacking the content in proto.fields = {}. :(

https://osqa-ask.wireshark.org/questi...

So what are the/my options to successfully implement such a variable-heavy protocol in Wireshark?

  • Break up the dissector and write a dissector for each component of the protocol?
  • Use global variables instead of local vars?
  • [Your brilliant suggestions here :) ]

Thank you and have a nice day!

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2025-01-08 15:22:00 +0000

cmaynard gravatar image

Regarding " I used up all the 200 local variables at ProtoFields, and from the looks I still have use for at least 200+ variables." ...

You can use a table to group them all into a single variable, for example, a snippet from the Guacamole dissector I wrote and published on the Wireshark wiki:

-- Fields
local pf = {
    length = ProtoField.uint32("guacp.len", "Length", base.DEC, nil, 0, "The length of the message"),
    instructions = ProtoField.uint32("guacp.instructions", "Instructions", base.DEC, nil, 0, "The number of instructions"),
    instruction = ProtoField.bytes("guacp.instruction", "Instruction", base.NONE),
    ...
}

-- Register protocol fields
p_guacp.fields = pf

And an example usage:

local function dissect_instruction(tvbuf, pinfo, tree, offset, count)
    local instr_tree

    ...
    instr_tree = tree:add(pf.instruction, tvbuf(offset, (off + 1) - offset)):set_text("Instruction " .. count .. ": ")
    ...

end -- dissect_instruction()

Maybe see how far you get with this idea and reply again if you're still hitting resource limits?

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-01-08 00:04:35 +0000

Seen: 31 times

Last updated: yesterday

Related questions

how to invert two bytes in lua script dissector ?

Adjusting Bit order and Endianess in LUA between Dissectors

Reuse (part of) a Wireshark Dissector

Use UDS dissector inside DoIP dissector

How to register LUA dissectors without GUI

How to use two lua dissectors together ?

What's the difference between a dissector, post-dissector and tap?

advice on LUA dissector

how to register a new LUA based dissector only to udp src port

how to get SDP information from the Lua