THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Wireshark LUA use field from previous/lower dissector

  • retag add tags

I have written an custom LUA dissector for ERSPAN. But to apply different header based on the ERSPAN Type indicated by gre.proto field in GRE header, I would like to use the value of gre.proto field in my dissector.

I have already searched and saw methods using post dissector but I am doing something wrong and it is not working for me.

So I would like to have something like this within my custom dissector:

if greprotocolversion == 0x22eb then

...
...

elseif gregreprotocolversion == 0x88be then

..
..

end

What would be the most simple method to accomplish this? Thank you.

WJT's avatar
3
WJT
asked 2018-05-16 08:17:08 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2018-05-16 15:42:09 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Are you trying to use the GRE proto field or the GRE protocol version field? I think you want the GRE proto field, but your sample code suggests otherwise. In any case, here's a simple example that may help you:

grepost = Proto("GREpost", "Append GRE message to info column")

-- Field Extractor
gre_proto_fe = Field.new("gre.proto")

function grepost.dissector(tvb, pinfo, tree)
    local gre_proto = gre_proto_fe().value

    if gre_proto == 0x0800 then
        pinfo.cols.info:append(" (GRE/IP)")
    end
end

register_postdissector(grepost)
cmaynard's avatar
11.1k
cmaynard
answered 2018-05-16 15:47:48 +0000
edit flag offensive 0 remove flag delete link
more

Comments

It doesn't even need to be a postdissector, field extractors can be used in regular dissectors as well (or at least this was possible in 2.4.x).

sindy's avatar sindy (2018-05-16 19:14:18 +0000) edit
more
  • delete

Hi Thanks for the help.

Indeed I mean to use the GRE proto field.

I used the code in my dissector and it is working. Also as Sindy mentioned, only using the field extractor works for me and is enough in this case.

Thank you all.

WJT's avatar WJT (2018-05-17 06:41:41 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer