Wireshark-dev: Re: [Wireshark-dev] Accessing prior packets in Lua

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 15 Sep 2009 20:00:09 -0700

On Sep 14, 2009, at 12:50 PM, Beth wrote:

In my Lua program, I am analyzing how long it takes certain packets to be acked. I can calculate the information once I get the ack packet, but what I would really like to do is to add the "time to ack" (or "never acked") data to the tree for the original packet. I know this can be done in C, since the Wireshark fragment reassembly does it very nicely, but can it also be done from Lua?

That is: given packet number X that is later acked by packet number Y, when my Lua program processes packet Y I can calculate the time between the packets. I can print it in a textwindow, but I would much rather add this info to the display tree for packet X. How might I access the tree for packet X, when I am processing packet Y?

You can't - it doesn't exist. Protocol trees are discarded as soon as Wireshark or TShark is finished with them, so they don't take up memory.

What you would need to do would be to have, as per Martin Visser's suggestion, a data structure that stores, for each packet that would be acked:

	the time stamp of the packet;

	the frame number of the packet;

	the time stamp of the ack for that packet (initialize to 0);

the frame number of the frame containing the ack for that packet (initialize to 0);

whatever information would be needed in order to identify which frame acks the packet;

and, when you see an ack, look in that data structure for the packet to which it's an ack, and fill in the time stamp and the frame number of the ack (if it's not already filled in - no frame has frame number 0, so if the frame number of the ack is non-zero, it's already been filled in).

When dissecting a packet that could be acked, see whether there's an entry in the database for it.

	If not:

		if the packet hasn't yet been seen, create one.

	If so:

if the frame number containing the ack for the packet is non-zero, compute the "time to ack" from the two time stamps, and put that and the frame number of the ack into the protocol tree;

		otherwise, put a "never acked" indication into the protocol tree.

When dissecting an ack, see whether there's an entry in the database for it:

If so, and if the frame number for the packet being acked is non- zero, you could put the "time to ack" and the frame number of the packet being acked into the protocol tree.