OSQA is unmaintained. Help us figure out where to go from here.

Here's my basic dissector

foo_proto = Proto("foo","foo proto")
foo_proto.fields.bar = ProtoField.string("foo.bar","bar field")

function foo_proto.dissector(buffer,pinfo,tree)
   local subtree = tree:add(foo_proto,"Foo Protocol Data")
   subtree:add(foo_proto.fields.bar, pinfo.number)


I use wireshark 1.4.4, I start wireshark and load my dissector in the Lua "Evaluate" window, my packet got dissected correctly and I can see my bar field under the foo proto.

My problem is that I can't use foo.bar as a filter. When I click on "Expression..." the foo proto appears but it has not fields under. The only filter I can use is: foo

When try to evaluate:

  bar_f = Field.new("foo.bar")

I have:

[string "bar_f = Field.new("foo.bar")"]:1: bad argument #1 
 to 'new' (Field_new: a field with this name must exist)

Surprisingly when I use tshark with the option -T fields -e foo.bar and load the lua script, it works, pinfo.number is displayed.

How can I get my foo.bar field usable in my lua scripts ?


asked 21 Mar '11, 09:01

khshark's gravatar image

accept rate: 0%

edited 21 Mar '11, 09:03

I recreated your problem with Wireshark 1.4.6 on Mac OS X 10.6, but it actually works correctly on Windows XP SP3; Windows Wireshark lets me use foo.bar as a filter, and it evaluates Field.new("foo.bar") without error.

I would submit a bug.

permanent link

answered 28 Apr '11, 09:41

bstn's gravatar image

accept rate: 14%

I can confirm the original posters problem using Version 1.6.2 (SVN Rev 38931 from /trunk-1.6) x64 under Windows 7 x64 (I used the evaluate function to run both commands)

permanent link

answered 14 Sep '11, 05:55

wojtech's gravatar image

accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 21 Mar '11, 09:01

question was seen: 5,678 times

last updated: 14 Sep '11, 05:55

p​o​w​e​r​e​d by O​S​Q​A