local p_foo = Proto.new("foo", "foo")
local f_frame_protocols = Field.new("frame.protocols")
function p_foo.dissector(buf, pinfo, tree)
print(pinfo.number, "Protocols: " .. (f_frame_protocols() and
f_frame_protocols().value or "Unknown"))
-- print(pinfo.number, f_frame_protocols().value)
end
register_postdissector(p_foo)
Script above prints to the Lua console.
What was the situation where it doesn't work?
On Tue, Oct 13, 2020 at 12:45 PM Maynard, Chris via Wireshark-dev <
wireshark-dev@wireshark.org> wrote:
> > From: Wireshark-dev <wireshark-dev-boun...@wireshark.org> On Behalf Of
> Fulko Hew
> > Sent: Monday, October 12, 2020 8:00 PM
> > To: Developer support list for Wireshark <wireshark-dev@wireshark.org>
> > Subject: [Wireshark-dev] lua decoder accessing info from layers above
> >
> > I'm trying to update/improve someone else's decoder written in Lua.
> > It's for a simple UDP (and TCP) based protocol.
> > But I need to be able to get access to the upper layer
> > to be able to decode it easily.
> >
> > Can someone provide an example of how to determine if the higher layer
> was UDP or TCP?
> >
> > Thanks
> > Fulko
> >
>
> I was going to suggest a possible alternative solution which would be to
> grab "frame.protocols" and scan it for udp or tcp, but unfortunately this
> method doesn't work. For example:
>
> local f_frame_protocols = Field.new("frame.protocols")
>
> function p_foo.dissector(buf, pinfo, tree)
> print("Protocols: " .. (f_frame_protocols() and
> f_frame_protocols().value or "Unknown"))
> end
>
> I suspect this has something to do with it being a generated field, but
> this looks like a Wireshark bug to me, unless someone can explain why this
> doesn't and shouldn't be expected to work.
> - Chris
>
>
>
>
>
>
>
>
>
> CONFIDENTIALITY NOTICE: This message is the property of International Game
> Technology PLC and/or its subsidiaries and may contain proprietary,
> confidential or trade secret information. This message is intended solely
> for the use of the addressee. If you are not the intended recipient and
> have received this message in error, please delete this message from your
> system. Any unauthorized reading, distribution, copying, or other use of
> this message or its attachments is strictly prohibited.
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
> Archives: https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-requ...@wireshark.org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
