First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Related packet symbols in Lua dissector

Hi, I am developing a dissector in Lua for our own protocol. I was wondering if it is possible to tell Wireshark which packets are related to which in a Lua dissector, so that it marks them with the different related packet symbols. For example, signal that a packet is a request and another one is a response or something like that. Is that possible?

I am thinking about the packet symbols as shown here: https://www.wireshark.org/docs/wsug_h...

Thank you

Glupsch21's avatar
3
Glupsch21
asked 2021-05-21 07:02:08 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2021-05-21 14:25:45 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

3 Answers

0

As far as I'm aware, this isn't possible yet, but Issue 15396 - Add Lua support for tracking conversations. is tracking it.

cmaynard's avatar
11.1k
cmaynard
answered 2021-05-21 14:24:43 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

I haven't tried this, but ProtoField.framenum() is probably a good place to start.

Roddyp's avatar
1
Roddyp
answered 2021-05-21 09:09:33 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

For C-based dissectors, track the requests and responses (usually via conversations which I don't know how to do in Lua), and then add fields to the tree to say how the current frame is tied to the other, e.g.

  • For the request, add a field indicating the response is in frame x with the field type set to FT_FRAMENUM, and the FRAME_NUM type set to T_FRAMENUM_RESPONSE
  • For the response, add a field indicating the request is in frame x with the field type set to FT_FRAMENUM, and the FRAME_NUM type set to T_FRAMENUM_REQUEST

Some details are in README.request_response_tracking.

For Lua, create the ProtoField with type ftypes.FRAMENUM and the value string one of frametype.REQUEST or frametype.RESPONSE, see here for more info on the Protofield options

grahamb's avatar
23.8k
grahamb
answered 2021-05-21 09:44:47 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer