Wireshark · Wireshark-dev: Re: [Wireshark-dev] LUA development highlighting bytefield display with LUA

Wireshark-dev: Re: [Wireshark-dev] LUA development highlighting bytefield display with LUA

From: "Rowswell, Brent" <brent.rowswell@xxxxxxxx>

Date: Fri, 20 Jun 2008 12:08:45 -0600

 It seems to want the filter to be just the protofield name, so it lets
me use stuff as a filter.  The problem with that is the filter doesn't
seem to be tied into the use of that proto, so while my dissector is
grabbing the data out of the fields, when filtering by the protofield it
doesn't like actually giving me the dissected packets, or any packets at
all.  I'm thinking that I didn't attach the protoField onto my proto
correctly.

Furthermore it doesn't like adding with the protofield, so for instance
when I try to do the following in my dissector, it spits out an error:
local test = ProtoField.uint8("test")
my_proto.fields = test
...
[inside my dissector]
...
subtree:add(test, "TEST")

I've also tried that with using subtree:add(test, tvb, "TEST") but to
the same effect.  Is it only the packets which have subtrees added by
using a protoField that show up when filtering?  If so, then it would
seem that I'd want to create a dummy tree with no real data attached to
it to get them to show up in the filter.  

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Luis EG
Ontanon
Sent: Friday, June 20, 2008 11:10 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] LUA development highlighting bytefield
display with LUA

it turns the protocol name into lowercase so that'd be:
myproto.stuff

it should turn green if it is ok.


what about the [Expression...] dialog do you see your proto there?



On Fri, Jun 20, 2008 at 6:05 PM, Rowswell, Brent
<brent.rowswell@xxxxxxxx> wrote:
> Whenever I try to run the filter on the ProtoFields wireshark comes up

> with an error.
> I'm trying to assign the ProtoField as such:
>
> local my_proto = Proto("MYPROTO", "myproto does some stuff") local 
> test = ProtoField.uint8("stuff") my_proto.fields = test
>
> And the filter I'm trying to use is MYPROTO.stuff correct?
>
>
> -----Original Message-----
> From: wireshark-dev-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Luis EG 
> Ontanon
> Sent: Friday, June 20, 2008 10:09 AM
> To: Developer support list for Wireshark
> Subject: Re: [Wireshark-dev] LUA development highlighting bytefield 
> display with LUA
>
> On Fri, Jun 20, 2008 at 3:58 PM, Rowswell, Brent 
> <brent.rowswell@xxxxxxxx> wrote:
>> So when you say that using a ProtoField would create a filterable 
>> field, do you mean that wireshark can then filter based on some field

>> in the protocol which has the ProtoField added to it?
> Yes, That's exactly it.
>
>> If so, then what would that field be, and how would you access it?
>
> You need to register a protocol, it's name gives you the first part of

> the filters. the name of the ProtoField is the second part:
>
>
> local proto = Proto.new("myproto")
> local my_field1 = ProtoField.uint8("field1") local my_field2 =
> ProtoField.uint8("field2")
>
> proto.fields = {my_field1, my_field2}
>
>
> that would create two display filter fields: myproto.field1 and
> myproto.field2
>
>
>> E.G. does that mean that when I start up my wireshark and start a 
>> capture, can I then try in the filter field something like my_proto 
>> contains my_field and it would then only show the packets that 
>> contain
>
>> my_field, or did you mean something else by being filterable?
>
> Yes that's almost what that means!
>
> The filter would be "myproto.field1" or like "myproto.field1 == 3", 
> not "my_proto contains field1".
>
> The keyword contains is for another purposeL "my_proto contains 
> 01:02:03" whould match only if the bytes belonging to my_proto contain

> the hex sequence 010203.
>
>
>
>
>>
>> -----Original Message-----
>> From: wireshark-dev-bounces@xxxxxxxxxxxxx
>> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Luis EG 
>> Ontanon
>> Sent: Wednesday, June 18, 2008 10:32 AM
>> To: Developer support list for Wireshark
>> Subject: Re: [Wireshark-dev] LUA development highlighting bytefield 
>> display with LUA
>>
>> mytree =  subtree:add(tvb:range(0x1), "STUFF") should work
>>
>> or better if you defina a protoField lets'say
>>
>> local pf_mine = ProtoField.uint8("my_field")
>>
>> ...
>> mytree =  subtree:add(pf_mine, "STUFF")
>>
>> should not only highlight the bytes but should create a filterable 
>> field "my_proto.my_filed" for the byte(s) in the tvbRange.
>>
>> On Wed, Jun 18, 2008 at 3:15 PM, Rowswell, Brent 
>> <brent.rowswell@xxxxxxxx> wrote:
>>> I've been trying to use this to get the subtrees to highlight, and 
>>> so
>
>>> far I can only get the first subtree to highlight correctly.  Here's

>>> the syntax of what I'm trying.
>>>
>>> local subtree = (tree:add(my_proto, tvb:range(), "my header")) -- 
>>> works local mytree = (subtree:add("TEST ", tvb:range(0x1), "STUFF"))
>>> -- doesn't highlight
>>>
>>> I know that wireshark can highlight the subtrees just by looking at 
>>> the ethernet filters in the hex pane, but for some reason this isn't

>>> highlighting there.  What should I do to get this to highlight.  The

>>> way I figure this should work is the first one highlights the entire

>>> tvb, which it does, and the second should highlight all but the 
>>> first
>
>>> byte, which it doesn't.
>>>
>>>
>>> -----Original Message-----
>>> From: wireshark-dev-bounces@xxxxxxxxxxxxx
>>> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Luis EG 
>>> Ontanon
>>> Sent: Tuesday, June 17, 2008 7:47 AM
>>> To: Developer support list for Wireshark
>>> Subject: Re: [Wireshark-dev] LUA development highlighting bytefield 
>>> display with LUA
>>>
>>> Lua uses the very same API that dissectors use. For protocol tree 
>>> items created with Lua (when they are given a tvbRange) the bytes in

>>> the hex dump pane get highlighted as with any other dissector.
>>>
>>>
>>> On Mon, Jun 16, 2008 at 3:37 PM, Rowswell, Brent 
>>> <brent.rowswell@xxxxxxxx> wrote:
>>>> Hey there,
>>>>
>>>> I was wondering if there was a way to make my LUA dissector 
>>>> highlight
>>
>>>> specific bytes in the bytefield display so that they stand out 
>>>> easily,
>>>
>>>> such as the various portions of my header and attach these to the 
>>>> subtrees that explain what they are.  I know something that does 
>>>> this
>>
>>>> is already built into wireshark and that it works very well for 
>>>> predefined message types, for instance it dissects TCP headers is a

>>>> very readable way so that you can actually see which bytes 
>>>> correspond
>>
>>>> to the source and destination addresses.  I would like to do 
>>>> something
>>>
>>>> similar on my own message type, so that the specific portions of my

>>>> message are easily readable after dissection.  Is there any way to 
>>>> do
>>> this inside my LUA script?
>>>>
>>>> Brent Rowswell
>>>>
>>>> _______________________________________________
>>>> Wireshark-dev mailing list
>>>> Wireshark-dev@xxxxxxxxxxxxx
>>>> https://wireshark.org/mailman/listinfo/wireshark-dev
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> This information is top security. When you have read it, destroy 
>>> yourself.
>>> -- Marshall McLuhan
>>> _______________________________________________
>>> Wireshark-dev mailing list
>>> Wireshark-dev@xxxxxxxxxxxxx
>>> https://wireshark.org/mailman/listinfo/wireshark-dev
>>> _______________________________________________
>>> Wireshark-dev mailing list
>>> Wireshark-dev@xxxxxxxxxxxxx
>>> https://wireshark.org/mailman/listinfo/wireshark-dev
>>>
>>
>>
>>
>> --
>> This information is top security. When you have read it, destroy 
>> yourself.
>> -- Marshall McLuhan
>> _______________________________________________
>> Wireshark-dev mailing list
>> Wireshark-dev@xxxxxxxxxxxxx
>> https://wireshark.org/mailman/listinfo/wireshark-dev
>> _______________________________________________
>> Wireshark-dev mailing list
>> Wireshark-dev@xxxxxxxxxxxxx
>> https://wireshark.org/mailman/listinfo/wireshark-dev
>>
>
>
>
> --
> This information is top security. When you have read it, destroy 
> yourself.
> -- Marshall McLuhan
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-dev
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-dev
>



--
This information is top security. When you have read it, destroy
yourself.
-- Marshall McLuhan
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-dev

References:
- [Wireshark-dev] LUA development highlighting bytefield display with LUA
  - From: Rowswell, Brent
- Re: [Wireshark-dev] LUA development highlighting bytefield display with LUA
  - From: Luis EG Ontanon
- Re: [Wireshark-dev] LUA development highlighting bytefield display with LUA
  - From: Rowswell, Brent
- Re: [Wireshark-dev] LUA development highlighting bytefield display with LUA
  - From: Luis EG Ontanon
- Re: [Wireshark-dev] LUA development highlighting bytefield display with LUA
  - From: Rowswell, Brent
- Re: [Wireshark-dev] LUA development highlighting bytefield display with LUA
  - From: Luis EG Ontanon
- Re: [Wireshark-dev] LUA development highlighting bytefield display with LUA
  - From: Rowswell, Brent
- Re: [Wireshark-dev] LUA development highlighting bytefield display with LUA
  - From: Luis EG Ontanon

Prev by Date: Re: [Wireshark-dev] Request/Response tracking with multiple responses
Next by Date: Re: [Wireshark-dev] wireshark 1.0.1?
Previous by thread: Re: [Wireshark-dev] LUA development highlighting bytefield display with LUA
Next by thread: [Wireshark-dev] buildbot failure in Wireshark (release) on Ubuntu-7.10-x86-64
Index(es):
- Date
- Thread