This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Lua dissector puzzle : how to save state

I am trying to write a dissector to dissect my protocol in Wireshark. There are some statuses I want to save for every TCP stream (or session). I want to know the last packet length in the same TCP stream.

I try to use a big table to store. I use the Field("tcp.stream") to index the stream but it caused an amazing bug. When I double-click the Pinfo columns, the result in the tree item (which had dissected correctly) suddenly goes bad .I try to use pinfo.visited to slove it , but the pinfo.visted always be true .

So, can someone help me?

lua

asked 27 May '15, 19:04

DavidNorth
16●3●3●6
accept rate: 0%

the bug happend not only when i double-click the pinfo cols , click differnet pinfo cols can also cause the the bug

(27 May '15, 19:07) DavidNorth

2 Answers:

As pointed out earlier, the protocol tree is rebuilt each time you click on a packet in the GUI - or more to the point, the packet is completely re-dissected/parsed each time it's clicked, as well as some other times (like when you apply a display filter).

You said you tried to use a big Lua table to store using the Field("tcp.stream") as the index - that's a pretty good idea, but doesn't go far enough... I assume all you're storing in that stream-indexed table is the last packet's length for that given TCP stream index, right? So of course when some earlier packet gets dissected a second/third time, the packet length in that table for that stream index will represent the length of the last dissected packet of the stream, which may not be the packet previous to the one being re-dissected in the GUI list.

So what you need to do is also have a Lua table indexed by packet numbers (pinfo.number), where the value of the table entry is that packet number's previous-packet length. Then in your dissector or tap function check if the current packet is already in that list for its info.number, and if it is then the previous-packet length is the value of the found entry; if an entry isn't already in that table, then go get the number from your stream-indexed table (which represents the previous packet length), replace it with the current packet's length, and put the previous-packet length into the packet-number-indexed table so it will be found if this packet gets dissected again in the future.

answered 27 Jun '15, 18:26

Hadriel
2.7k●2●9●39
accept rate: 18%

Thanks a million. You are very helpful.I'm not good at English， I don't know how to express my gratitude But what you said really means a lot to me,thanks!!!!!^__^

(28 Jun '15, 20:42) DavidNorth

0	According to JeffMorriss "The protocol tree is rebuilt each time you click on the item.." answered 29 May '15, 06:20 izopizo 202●4●7●14 accept rate: 0% edited 28 Jun '15, 20:57 Guy Harris ♦♦ 17.4k●3●35●196