This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Are Lua dissector fields filterable?

0

I'm wondering how to get the fields declared in a Lua dissector searchable in the filter bar. When trying to declare fields the same way as in various tutorials/samples, despite the fact that the dissector works fine, packets are recognized and decoded, the fields are unavailable to search.

Example :

p_myproto = Proto ("myproto","My Protocol")
local f_command = ProtoField.uint16("myproto.command", "Command", base.HEX)
local f_data = ProtoField.string("myproto.data", "Data", FT_STRING)

p_myproto.fields = {f_command,f_data}

myproto.f_data == in the filter bar gives "myproto.f_data isn't a valid display filter" "myproto.f_data is neither a field nor a protocol name"

Are custom fields supposed to be searchable?

asked 06 Dec ‘13, 06:17

lepolac's gravatar image

lepolac
16446
accept rate: 0%

edited 06 Dec ‘13, 13:26

multipleinterfaces's gravatar image

multipleinte…
1.3k152340


One Answer:

1

You get the error message "myproto.f_data is neither a field nor a protocol name" because you have used a different string for your field's filter string. Try myproto.data in stead.

In the line local f_data = ProtoField.string("myproto.data", "Data", FT_STRING), it is actually the first argument to ProtoField.string that determines the filter string (i.e. "myproto.data"), not the name of the variable into which it is stored (i.e. local f_data).
You could just have easily typed the following, and it would still use myproto.data as the filter string:

local some_data_field_with_a_long_name = ProtoField.string("myproto.data", "Data", FT_STRING)

answered 06 Dec '13, 13:30

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%

Hi,

Thanks for answering this. I tried to rename the field but still get the error. Below code for the sake of example :

p_myproto = Proto ("myproto","My Protocol")
local f_command = ProtoField.uint16("myproto.command", "Command", base.HEX)
local f_data = ProtoField.string("testdata", "Data", FT_STRING)
local f_debug = ProtoField.uint8("myproto.debug", "Debug")

p_myproto.fields = {f_command,f_data,f_debug}

function p_myproto.dissector (buf, pkt, root)

if buf:len() == 0 then return end pkt.cols.protocol = p_myproto.name subtree = root:add(p_myproto, buf(0)) subtree:add(f_command, buf(0,2)):append_text(" [Command text]") subtree:append_text(", Command details here or in the tree below")

if f_debug then subtree:add(f_debug, buf:len()) end end

function p_myproto.init() end

local tcp_dissector_table = DissectorTable.get("tcp.port") dissector = tcp_dissector_table:get_dissector(80) tcp_dissector_table:add(80, p_myproto)

(09 Dec ‘13, 03:08) lepolac

In this code, you haven’t added the f_data field to any part of the tree. You have, however, added the f_command field, so you should be able to filter on myproto.command. Have you looked at the examples at http://wiki.wireshark.org/Lua/Examples ?

(09 Dec ‘13, 10:35) multipleinte…

Hi, Sorry, didn’t catch that one.. This is not my actual dissector, was just trying to quickly give an example. myproto.command doesn’t work either, I still get myproto.command isn’t a valid display filter. By the way, I tested dozens of various dissectors I found, including the simplest wiki examples, and none of them allow me to access field in the filter. Maybe I’m doing something the wrong way…

(11 Dec ‘13, 02:02) lepolac