This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

lua tap for bundled packets

0

Hi,

Lets say I have a packet that looks like this :

[ETH, IP, HEADER, PAYLOAD, HEADER, PAYLOAD]

My Header consists of header.x1 header.x2 and header.x3 and payload is payload.x1 and payload.x2.

I want to use a lua tap to calculate how many [header, payload] packets a file consists of. So in this case, it is just one IP packet, but consist of two packets with [header, payload]. I have a lua tap that goes like this :

-- simple_http.lua

-- implements a very simple tap in Lua

-- this is going to be our counter

http_packets = 0

-- this is going to be our tap

tap_http = nil

-- first we declare the tap called "http tap" with the filter it is going to use

tap_http = Listener.new(nil,"header.x1 == 2")

-- this function will get called at the end(3) of the capture to print the summary

function tap_http.draw()

debug("http packets:" .. http_packets)

end

-- this function is going to be called once each time the filter of the tap matches

function tap_http.packet()

http_packets = http_packets + 1

end

-- this function will be called at the end of the capture run

function tap_http.reset()

http_packets = 0

end

Now the problem with this however, is that it will count the above packet only as +1. It will only read the first header.x1, and if this is 2 it will add +1. But if the other bundled header.x2 also is two, it will not be included in the calculation. How can I make this tap read all the budled packets from this IP packet?

Thank you very much in advance

BR Harkap

asked 22 Apr '13, 02:01

harkap's gravatar image

harkap
58811
accept rate: 0%


One Answer:

0

I'd do it by using generic tap, and an extractor. Now depending on your protocol it will be either common extractor for same field type that returns a table or two separate extractors.

Code below is not tested but you should get the idea

x1_extractor = Field.new("header.field1")
x2_extractor = Field.new("header.field2")
x3_common_extractor = Field.new("header.common_field3")
tap_http = Listener.new(nil,"header")
http_packet=0
function tap_http.packet()
       x1_field = x1_extractor()
       x2_field = x2_extractor()
       -- For a common field in both instances use a table like below
       my_field_table = { x3_common_extractor() } 
       -- my_field_table[0].value - will give you falue from first instance
       -- my_field_table[0].value - will give you falue from second instance
       if x1_field and x1_field.value == 2 then
           http_packet = http_packet +1 
       end  
   if x2_field and x2_field.value == 2 then
       http_packet = http_packet +1 
   end  

end

Also: Check out this question: How to get multiple values from items

Check out this question: Multiple instances of a protocol in one frame

answered 23 Apr ‘13, 00:39

izopizo's gravatar image

izopizo
2024714
accept rate: 0%

edited 23 Apr ‘13, 00:41