I am trying to build a chained dissector for a custom protocol on top of COTP, TPKT and TCP. Based on the code found at https://wiki.wireshark.org/Lua/Dissectors#chained_dissectors I came up with the following:
local my_protocol = Proto("MyProto", "My Protocol")
local tpkt_dissector
my_protocol.fields = {}
function my_protocol.dissector(tvb, pinfo, tree)
info("MyProto Dissector called")
local initial_len = tvb:len()
local result = tpkt_dissector:call(tvb, pinfo, tree)
info(string.format("Initial length: %d", initial_len))
info(string.format("TPKT result: %d", result))
end
local tcp_table = DissectorTable.get("tcp.port")
tpkt_dissector = tcp_table:get_dissector(30001)
tcp_table:set(30001, my_protocol)
The problem however is that undissected bytes get passed to the data dissector before my dissector even "gets its turn", i.e. the length of the tvb my dissector receives is equal to the return value of the TPKT dissector.
