[Wireshark-dev] LUA chained dissector drops data parameter

Mon, 18 Nov 2019 09:22:32 -0800 

Hi,

I'm working on dissecting a proprietary protocol that extends Bluetooth HCI_ACL 
with a LUA dissector. As there's no heuristics dissector list registered for 
this particular protocol I thought something similar could be achieved with a 
chained dissector. I retrieve the original HCI_ACL dissector handle and replace 
it with my own LUA dissector. In LUA dissector apply some heuristics and if 
it's not my own protocol then call the original HCI_ACL dissector via the 
handle.

Code looks like this:

local proto_test = Proto("test", "Use chaining as heuristic dissector")
local proto_default_acl

function is_test_proto(tvb, pinfo)
    -- Apply heuristics to determine if own protocol
    return false
end

function proto_test.dissector(tvb, pinfo, tree)
    if not is_test_proto(tvb, pinfo) then
        return proto_default_acl:call(tvb, pinfo, tree)
    end

    pinfo.cols.protocol = "test"
    tree = tree:add(proto_test, tvb)
    return tvb:len()
end

function proto_test.init()
    local hci_type = DissectorTable.get("hci_h4.type")
    local pattern = 0x02 -- ACL
    proto_default_acl = hci_type:get_dissector(pattern)
    hci_type:add(pattern, proto_test)
end

This unfortunately did not work and I was not able to find out why until I 
started looking at the HCI_ACL dissector code itself.

static gint
dissect_bthci_acl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void 
*data)
{
<...>
    /* Reject the packet if data is NULL */
    if (data == NULL)
        return 0;

The above NULL check is hit for all calls coming from the LUA dissector. The 
LUA dissector function prototype does not have the data parameter and it 
appears it's simply lost when chaining calls through LUA.

Any suggestions on how to approach this? Would it be possible to extend the LUA 
dissector interface with another function prototype that supports the data 
parameter? Just support relaying the parameter in chained dissectors, not 
modifying or doing any fancy stuff with it.

/Mikael

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Reply via email to