This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Getting field values from ProtoField

0

I have a ProtoField defined as:

proto.led = ProtoField.uint8("led", "LED", base.HEX, LED_FLAGS, 0x1)

That bit changes a few fields in the message. Ideally, I'd be able to do something like:

if (proto.led) then
   -- do a
else
   -- do b

Is there any shortcut to grabbing the value of a field (or bit) from the ProtoField definitions? The bit field is displayed correctly in the GUI, so I know I am parsing this part right.

This would be easy in C-dissector. I'm still fumbling my way thru Lua.

Thanks.

asked 22 May '12, 06:26

TalleyHo's gravatar image

TalleyHo
51338
accept rate: 0%

edited 22 May '12, 07:13

helloworld's gravatar image

helloworld
3.1k42041


One Answer:

1

Unfortunately, that's not possible. The ProtoField only defines the format of the field; it isn't aware of packet buffers or offsets, both of which would be required to determine the field value.

On the other hand, Field extractors can pull field values from the current packet without being given buffers/offsets (the fields would already have been parsed by a dissector). However, this is only available from a tap or postdissector, and it doesn't work for Lua-defined fields (unverified).

EDIT: You might be interested in TvbRange.bitfield() and Wireshark Lua's built-in bit library, as demonstrated below.

local proto_foo = Proto('foo', 'Foo Protocol')
local f = proto_foo.fields

local LED_FLAGS = { [0] = 'off', [1] = 'on' } f.led = ProtoField.uint8('foo.led', 'LED', base.HEX, LED_FLAGS, 0x01)

local LED_BYTE_OFFSET = 0 local LED_BIT_INDEX = 7 – rightmost bit in MSB-0 bit numbering

function proto_foo.dissector(buf, pinfo, tree) – use TvbRange.bitfield(offset, length) local bitval = buf(LED_BYTE_OFFSET, 1):bitfield(LED_BIT_INDEX, 1) print('bit', bitval, LED_FLAGS[bitval] or '?')

-- or use the built-in "bit" library (no need to use "require")
local num = buf(LED_BYTE_OFFSET, 1):uint()
local bitval2 = bit.band( bit.rshift(num, 7 - LED_BIT_INDEX), 1 )
print('bit', bitval2, LED_FLAGS[bitval2] or '?')

end

answered 22 May ‘12, 06:49

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

edited 22 May ‘12, 17:41

I could grab the buffer and parse it, but I don’t see bitwise operators in Lua. However, the lua docs state that is only supported in 5.2. Unfortunately, I’m not quite there yet. Is there another way to handle this fork in the road? Right now I key off the remaining packet length, but I’m not happy with that /solution/.

(22 May ‘12, 07:00) TalleyHo

See updated answer. And Wireshark Lua has a built-in bit library, which I think is a copy of: http://bitop.luajit.org/api.html

(22 May ‘12, 07:10) helloworld

Awesome. I didn’t know about the bitfield function. Although, I think the docs may be bass-ackwards. The LED bit in my case is bit 5, however, I had to use extendedMsg = buffer(offset, 1):bitfield(2, 1) which says that the start position is 2 from the LEFT and 1 bit in width. Thanks for the pointer to bitfield, that did the trick.

(22 May ‘12, 12:56) TalleyHo

You’re right. bitfield() (actually, its underlying C function: _tvb_get_bits64) uses MSB-0 bit numbering. The wiki for bitfield() has been corrected. Thanks.

(22 May ‘12, 17:39) helloworld