Explicitely call a specific Lua dissector from a Lua tap/listener w/o a tree?
Hi everyone,
I've been able to use a dissector for a custom protocol which transports data over USB bulk packets. The "outermost layer" of the custom protocol looks as follows:
┌────────────────────┐ ┌───────────────┐ ┌────────────────────┐
│┌───┐┌───┐┌───┐┌───┐│ │┌───┐┌───┐┌───┐│ │┌───┐┌───┐┌───┐┌───┐│
││a ││b ││a ││b ││ ││a ││a ││c ││ ││a ││b ││a ││c ││
│└───┘└───┘└───┘└───┘│ │└───┘└───┘└───┘│ │└───┘└───┘└───┘└───┘│
└────────────────────┘ └───────────────┘ └────────────────────┘
USB bulk packet #1 USB bulk packet #2 USB bulk packet #3
In the next step, I'd like to call another dissector for the "inner layer" of that protocol. Let's say frames of type b.
I've written a tap/listener in Lua which is called for every frame of the "outermost layer", i.e. for frames of types a, b and c. I can identify frames of type b and want to call the dissector for the payload of the "inner layer".
What I am currently trying is:
Call InnerLayerTypeB_protocol.dissector:call(some_tvb, pinfo, tapinfo) from function tap.packet(pinfo, tvb, tapinfo).
The problem: The function parameters.
First argument of type Tvb? These are the payload bytes I want to hand over to the dissector. I can construct a new Tvb object, no problem: local bc_tvb = ByteArray.tvb(stream_data, "My Tvb") -- where stream_data = fi.value taken from some specific field (local fields = { all_field_infos() } ... for ix, fi in ipairs(fields) do). That might work.
Second argument: pinfo? No problemo... as function tap.packet(pinfo, tvb, tapinfo) already gets that itself as a third argument.
Third argument: tree. I don't have access to "the existing tree"... and I don't really care. Is there a way to create an "empty tree" and use it? I don't need to access anything that exists yet, just dissect the "inner layer". Unfortunately, TreeItem:new() does not exist. I also cannot pass it nil or an empty table ({}).
According to https://www.wireshark.org/docs/wsdg_h..., a Listener "can read the tree, the packet’s Tvb buffer as well as the tapped data, but it cannot add elements to the tree". So.. can I maybe create a copy of an existing tree?
I might be mis-using something here because I haven't fully understood Wireshark concepts yet. Maybe postdissectors or chained dissectors is the way to go, but I do not understand how to use them.. if the "outer layer" is not something existant such as TCP.
Every pointer will be helpful!
Cheers
Here is the Cliff Notes version. Do you want to update the tree(dissector) or the gui (tap/listener)?
Hi Chuck. Thanks for your comment. Actually both. But it seems that I need two dissectors - one for the "outer layer" (dissect USB bulk payload into custom protocol frames) and one for the "inner layer" (dissect custom protocol frames of a certain type into its details -- dissecting the nesting unsupported protocol with its own fields). In the next step, I'd like to add a Tap/Listener to make sense of the "inner layer" data ("Relate data across multiple packets", like pretty-printing them in a WIndow). Challenge: selection or detection of the "certain type". I think throwing a heuristic dissector at the "outer layer" won't work as this will produce too many fale positives. I need to add some IDs to the runtime configuration -- which I've only seen available for Taps/Listeners ("Add menu items/utilities"). But I guess that I'll use command line arguments for Lua ...(more)