[Wireshark-dev] Wireshark lua dissector unable to load for media_type=application/octet-stream

Sat, 19 Oct 2013 07:59:44 -0700 

Hi all,
        I'm trying to write a lua Proto to parse our private protocol on http. 
But Wireshark didn't enter my dissector function when the media_type to 
"application/octet-stream". When the media_type is set to "text/html", 
everything looks fine. 
        Is there special handling for application/octet-stream? 
        I was working on it for almost a day, Could you help me out? 
        Thx a lot

My wireshark version is 1.10.2 on mac osx 10.8.5

Here's my code

do
    local myproto= Proto("myprotoProtocol","myproto Protocol")
    local f_version= ProtoField.uint32("Version","Version",base.DEC)
    myproto.fields = {f_version}
    local data_dis = Dissector.get("data")
    local function myproto_dissector(tvb,pkt,root)
            print("enter myproto_dissector, tvb.len:"..tostring(tvb:len()))
            if tvb:len() < 17 then return false end
            pkt.cols.protocol = "myproto"
            local t =root:add(myproto,tvb)
            t:add(f_version,tvb(0,2))
            local version = tvb(0,2).uint()
            print("version:"..tostring(version))
            return true
    end

    function myproto.dissector(tvb,pkt,root)
            print("enter myproto.dissector")
            if not myproto_dissector(tvb,pkt,root) then
                    data_dis:call(tvb,pkt,root)
            end
    end

    local tbl= DissectorTable.get("media_type")
    tbl:add("application/octet-stream",myproto)
    --tbl:add("text/html",myproto) --text/html looks fine
    print("adding myproto into DissectorTable")
 end

I use tshark to debugging for application/octet-stream

$tshark  -r test.pcapng   |grep application/octet-stream
108 40.536817000    10.8.0.14 -> 10.130.142.72 HTTP 418 POST 
/protocol?uid=101225&uid=101225&_t=1382115502 HTTP/1.1  
(application/octet-stream)
111 40.596037000 10.130.142.72 -> 10.8.0.14    HTTP 63 HTTP/1.1 200 OK  
(application/octet-stream)
120 40.657143000    10.8.0.14 -> 10.130.142.72 HTTP 445 POST 
/protocol?uid=101225&uid=101225&_t=1382115502    HTTP/1.1  
(application/octet-stream)
124 40.729645000 10.130.142.72 -> 10.8.0.14    HTTP 63 HTTP/1.1 200 OK  
(application/octet-stream)
219 41.810493000    10.8.0.14 -> 10.130.142.72 HTTP 488 POST 
/protocol?uid=101225&uid=101225&_t=1382115503 HTTP/1.1  
(application/octet-stream)
226 41.919401000 10.130.142.72 -> 10.8.0.14    HTTP 63 HTTP/1.1 200 OK  
(application/octet-stream)

$tshark  -r test.pcapng   -X lua_script:canon.lua | grep myproto
adding myproto into DissectorTable

for text/html

 $tshark  -r test.pcapng   -X lua_script:canon.lua | grep myproto
 adding myproto into DissectorTable
 enter myproto.dissector
 enter myproto_dissector, tvb.len:2
 enter myproto.dissector
 enter myproto_dissector, tvb.len:6
 enter myproto.dissector
 enter myproto_dissector, tvb.len:6



Regards,
Cong Ling

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Reply via email to