Display multiple PDUs in a TCP segment

Question

With lots of help, I now understand that a Lua dissector that is meant to extract multiple higher-level PDUs from a given TCP segment must implement its own loop. As an example, I have implemented such a dissector for the TRIVIAL protocol (see homemade packet capture). Running tshark shows:

1 0.000000   10.1.1.1 6666 10.2.2.2     7777 TRIVIAL 68 Trivial Info
2 0.000001   10.1.1.1 6666 10.2.2.2     7777 TRIVIAL 60 Trivial Info

By running tshark -V, I can see the (multiple) contained Trivial Protocol Data subtrees in these segments. Progress!

Is there any way to have the output of tshark show something like:

1 0.000000   10.1.1.1 6666 10.2.2.2     7777 TRIVIAL 68 Trivial Info
1 0.000000   10.1.1.1 6666 10.2.2.2     7777 TRIVIAL 68 Trivial Info
1 0.000000   10.1.1.1 6666 10.2.2.2     7777 TRIVIAL 68 Trivial Info
2 0.000001   10.1.1.1 6666 10.2.2.2     7777 TRIVIAL 60 Trivial Info

that is, one row per TRIVIAL PDU rather than one row per TCP segment?

Accepted Answer

Th short answer: not currently.

I believe there have been some previous similar requests and some discussions about same.

Something like implementing an expandable "treeview" for a summary line ?

I think a Google search "site:wireshark.org ..." with some appropriate search terms may find the previous discussions.

Answer 2

Welll, well... it appears Lua can do something C-code can't. :)

Here's your Trivial dissector, with multi-line tshark output (you may need to tweak the makeLine function):

-- declare our protocol
local trivial_proto = Proto("trivial","Trivial Protocol")
local trivial_pdu_len = 4
local makeLine
local function dissect_common(buffer, pinfo, tree, offset)
local subtree = tree:add(trivial_proto,buffer(offset,trivial_pdu_len),&quot;Trivial Protocol Data&quot;)

subtree:add(buffer(offset,2),&quot;The first two bytes: &quot; .. buffer(offset,2):uint())
subtree = subtree:add(buffer(2,2),&quot;The next two bytes&quot;)
subtree:add(buffer(offset+2,1),&quot;The 3rd byte: &quot; .. buffer(offset+2,1):uint())
subtree:add(buffer(offset+3,1),&quot;The 4th byte: &quot; .. buffer(offset+3,1):uint())

local output = &quot;Trivial Info (&quot; .. buffer(offset,2):uint() ..&quot;)&quot;

-- return number of bytes consumed so that more trivial PDUs can be discovered
return trivial_pdu_len, output

end
– create a function to dissect it
function trivial_proto.dissector(buffer, pinfo, tree)

pinfo.cols.protocol = "TRIVIAL"
local pktlen = buffer:len()

local consumed, output = dissect_common(buffer, pinfo, tree, 0)
local remaining = pktlen - consumed
pinfo.cols.info:set(output)

while remaining &gt;= trivial_pdu_len do
    consumed, output = dissect_common(buffer, pinfo, tree, pktlen - remaining)
    pinfo.cols.info:append(makeLine(pinfo,output))
    remaining = remaining - consumed
end

if remaining &gt; 0 then
    pinfo.desegment_offset = pktlen - remaining
    pinfo.desegment_len = trivial_pdu_len - remaining
end

return pktlen - remaining

end
– load the tcp.port table
local tcp_table = DissectorTable.get("tcp.port")
– register our protocol to handle udp port 7777
tcp_table:add(7777,trivial_proto)
– helper function to enable multi-line packet output
makeLine = function (pinfo,output)
local rel_time = string.format("%.6f\t", pinfo.rel_ts)
local line = {
    &quot;\n &quot;,
    tostring(pinfo.number),
    rel_time,
    tostring(pinfo.src),
    tostring(pinfo.src_port),
    tostring(pinfo.dst),
    tostring(pinfo.dst_port),
    &quot;TRIVIAL&quot;,
    tostring(pinfo.len),
    output,
}

return table.concat(line,&quot; &quot;)

end

Okay, okay… so I’m totally cheating. But hey it works! ;)