Enable Search by Subtree in LUA Script

asked 2025-05-28 07:08:51 +0000

cynox
3 ●1

Hi there,

I have a LUA script for a dissector and I want the subtrees to be searchable from the search bar like: MyProtocol.subtreename.fieldname or another similar method.

Currently I can search like: MyProtocol.fieldname, but it is not that useful as same field can appear on multiple subtree types.

Context: I have many types of messages coming and I parse them into a subtree depending on their type on the run. For example, if 3rd byte of the incoming message is 3, it is parsed to message fields corresponding to type 3.

Example for message type 3:

My Protocol

-Message Type 3 Subtree

--Message Type 3 field 1

--Message Type 3 field 2

--Message Type 3 field 3

For message type 4:

My Protocol

-Message Type 4 Subtree

--Message Type 4 field 1

--Message Type 4 field 2

I want to search by MyProtocol.Message_Type_4_Subtree.

I am open to any advise or any other method to achieve something similar.

Many Thanks

edit retag flag offensive close merge delete

Comments

Can you share code showing how you add your protocol and fields.
Or point to an example on the Lua section of the wiki.

Chuckc ( 2025-05-28 10:17:02 +0000 )edit

Code excerpt:

type_field = ProtoField.uint8("myProtocol.type", "type", DEC)
    myField1 = ProtoField.uint8("myProtocol.myField1", "myField1", DEC)
    myField2 = ProtoField.uint8("myProtocol.myField2", "myField2", DEC)
    myField3 = ProtoField.uint8("myProtocol.myField3", "myField1", DEC)
    myField4 = ProtoField.uint8("myProtocol.myField4", "myField1", DEC)

    myProtocol.fields = {myField1, myField2, myField3, myField4}

    function myProtocol.dissector(buffer, pinfo, tree)
       local subtree = tree:add(myProtocol, buffer(), "MyProtocol")
       local type = subtree:add(type_field, buffer(0,1)):le_uint()
       if type == 3 then
          local new_subtree = subtree:add(myProtocol, buffer(), "Message Type 3"
          new_subtree:add_le(myField1, buffer(1,1)):le_uint()
          new_subtree:add_le(myField2, buffer(2,1)):le_uint()
       elseif type == 4 then
          local new_subtree = subtree:add(myProtocol, buffer(), "Message Type 4"
          new_subtree:add_le(myField3, buffer(1,1)):le_uint()
          new_subtree:add_le(myField4, buffer(2,1)):le_uint()
       end
    end

This is a general idea of what is happening. I had to hide some information so if there are any syntax errors, ignore as it parses correctly both the ...(more)

cynox ( 2025-05-28 11:25:51 +0000 )edit

Not that it's perfect (the bazillion protocols for BT GATT - ugh) but have you looked at how other protocols handle this. You could look at the Wireshark Display Filter Reference or in the gui - Table 3.5. Internals menu items

Here's a POC. Close to what you're looking for?

Frame 1: Packet, 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface Fake IF, Import from Hex Dump, id 0
Ethernet II, Src: Send_00 (20:53:45:4e:44:00), Dst: Receive_00 (20:52:45:43:56:00)
Internet Protocol Version 4, Src: 10.1.1.1 (10.1.1.1), Dst: 10.2.2.2 (10.2.2.2)
User Datagram Protocol, Src Port: 12345, Dst Port: 0
MyProtocol
    type: 3
    MessageType3: 4d:65:73:73:61:67:65:20:54:79:70:65:20:33:00:00:ad:62
        myField1: 1
        myField2 ...

(more)

Chuckc ( 2025-05-28 20:29:30 +0000 )edit

I don't understand your question.

In the particular example you've given, can't you just filter for myprotocol.type == 3? Doesn't that always give exactly the same results as filtering for the existence of the Message Type 3 Subtree?

johnthacker ( 2025-05-29 01:06:30 +0000 )edit

add a comment

answered 2025-05-29 01:09:50 +0000

johnthacker
261 ●48 ●5

updated 2025-05-29 01:13:51 +0000

In the case you've given, you can just filter for the value of myprotocol.type, like filtering for myprotocol.type == 4. However, supposing that you're talking about a case where you don't add a field like that.

You can't filter for subtrees. But you can filter for the node that is the root of a subtree, which is what you want.

In a C dissector, when you add a subtree to a tree (proto_tree_add_subtree), what it really does is create a special text-only node (of type FT_NONE) that cannot be filtered, and then adds a subtree underneath. To effectively filter for a subtree in a C dissector, you register a FT_NONE field, add that the tree, and then add a subtree underneath. (proto_tree_add_item() with the FT_NONE, and then proto_item_add_subtree(tree_item, ett)). Doing it that way, while sometimes more work, creates an item you can filter (and also has other good effects like making JSON or XML output more consistent.) That item doesn't have a value, so you can only filter for its existence. (If you want to filter for value, like for the byte it contains, it can be added as a FT_BYTES, possibly with NO_DISPLAY_VALUE set.)

In Lua, you would do something similar. Register a ProtoField.none called Message_Type_4_Subtree, and add that to tree. Then add child items under it. E.g.,

mySubTreeField4 = ProtoField.none("myProtocol.message_type_4_subtree", "Message Type 4")
...
elseif type == 4 then
      local new_subtree = subtree:add(mySubtreeField4, buffer())
      new_subtree:add_le(myField3, buffer(1,1)):le_uint()
      new_subtree:add_le(myField4, buffer(2,1)):le_uint()
end

edit flag offensive delete link

Comments

This is the answer, it searches perfectly and looks clean.

Thank you for your response and thank you to all who have contributed.

Regarding your question about just checking for type, there are hundreds of message types and each message has a unique name and a unique use case which is just easier to remember than a number.

cynox ( 2025-05-29 05:21:59 +0000 )edit

add a comment

Enable Search by Subtree in LUA Script

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Enable Search by Subtree in LUA Script edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Enable Search by Subtree in LUA Script