Ask Your Question
0

How to decompress zlib format package in dissector? [closed]

asked 2025-09-13 13:21:26 +0000

xietao gravatar image

I wrote a dissector. I need to decompress zlib format package when analyzing data. I have tried:

  1. local zlib = require("zlib") - got an error saying the package was not found;
  2. local zlib = require("zlib1") - got an error saying it was not a valid dll.

Currently, I am using a solution of calling Python code, but this is very inefficient. Some of my code is as follows:

local compressed_data = buffer(40, data_length - 36)  
local compressed_hex = tostring(compressed_data:bytes():tohex())  
local handle = io.popen("python -c \"import zlib,binascii,sys;print(zlib.decompress(binascii.unhexlify(sys.argv[1])).decode('utf-8'))\" " .. compressed_hex, "r")  
local content = handle:read("*a")  
handle:close()

Could you please tell me how to solve this problem?

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by xietao
close date 2025-09-13 15:52:58.940992

add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2025-09-13 14:30:42 +0000

Chuckc gravatar image

If running a newer/current version of Wireshark, have you looked at:

WSDG: 13.6.3. TvbRange

13.6.3.28. tvbrange:uncompress_zlib(name)

Given a TvbRange containing zlib compressed data, decompresses the data and returns a new TvbRange containing the uncompressed data. Since: 4.3.0

edit flag offensive delete link more

Comments

Thank you very much for your solution. I have solved this problem by using tvbrange:uncompress_zlib(name).

function p_xxxx_proto.dissector(tvb, pinfo, tree)

local subtree = tree:add(p_xxxx_proto, tvb:range(offset), "xxxxxxxxxx")

local compressed_data = tvb:range(40, data_length - 36)

subtree:add(f_data, compressed_data:uncompress_zlib(compressed_data:string()))

xietao gravatar imagexietao ( 2025-09-13 15:44:36 +0000 )edit
add a comment

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-09-13 13:21:26 +0000

Seen: 53 times

Last updated: 1 hour ago