First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

“Apply as Column” for field in custom protocol in Wireshark

I've written a dissector in Lua for my custom protocol:

local myproto = Proto("MyProto", "My Custom Protocol")
myproto.fields.msg_counter = ProtoField.uint8("myproto.msg_counter", "Message counter", base.DEC)

function myproto.dissector(tvbuf, pktinfo, root)
  pktinfo.cols.protocol = myproto.name
  if root.visible then
    root:add_le(myproto.fields.msg_counter, tvbuf(10, 1))
  end
end

local udp_port = DissectorTable.get("udp.port")
udp_port:add(5432, myproto)

That works, the "Message counter" field and its value are correctly displayed in the tree area. But when I right click the field and choose "Apply as Column", the column is added but remains empty:

Wireshark screenshot

How can I fix this, so that the field values are displayed in the column view? I'm using Wireshark 3.2.3. Thanks in advance!

Adrian's avatar
3
Adrian
asked 2020-10-12 10:44:17 +0000, updated 2020-10-12 10:45:28 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Works if I comment out the "visible" check. (tvbuf values different for test data I created)

-- if root.visible then
        root:add_le(myproto.fields.msg_counter, tvbuf(0, 2))
--  end
Chuckc's avatar
3k
Chuckc
answered 2020-10-12 17:07:02 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Wireshark dissection passes explained.
Wireshark Lua API mentions that tree is only created as needed.

Chuckc's avatar Chuckc (2020-10-12 17:51:04 +0000) edit
more
  • delete

Thanks, that worked! But now packet parsing is painfully slow, it takes several minutes per 100k captured packets (and my application generates 36k per second), which is why I added the "visible" check in the first place. Is there a way to avoid dissecting all packets immediately, while still allowing the values in the columns to be displayed?

Adrian's avatar Adrian (2020-10-12 18:12:24 +0000) edit
more
  • delete

11.7.2.11. treeitem:referenced(protofield)

  if root:referenced(myproto.fields.msg_counter) then
    root:add_le(myproto.fields.msg_counter, tvbuf(0, 2))
  end
Chuckc's avatar Chuckc (2020-10-12 19:42:44 +0000) edit
more
  • delete

I can see that referenced reduces calls to add_le but working with a small capture here.
You might also move setting the protocol column inside the if statement to reduce workload.

  pktinfo.cols.protocol = myproto.name
Chuckc's avatar Chuckc (2020-10-12 19:45:35 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer