| 
 
 
 ___________________________________________________________________________I think it might be the bug of wireshark when the media_type is not list in the dissector table.   'application/octet-stream' is not listed on the table yet. After I use Lua->evaluate in Wireshark, The dissector table shows my protocol like this, 'application/octet-stream' is in mess code 
 <屏幕快照 2013-10-20 上午12.05.46.png> Hi all,
 I'm trying to write a lua Proto to parse our private protocol on http. But Wireshark didn't enter my dissector function when the media_type to "application/octet-stream". When the media_type is set to "text/html", everything looks fine.
 Is there special handling for application/octet-stream?
 I was working on it for almost a day, Could you help me out?
 Thx a lot
 
 My wireshark version is 1.10.2 on mac osx 10.8.5
 
 Here's my code
 
 do
 local myproto= Proto("myprotoProtocol","myproto Protocol")
 local f_version= ProtoField.uint32("Version","Version",base.DEC)
 myproto.fields = {f_version}
 local data_dis = Dissector.get("data")
 local function myproto_dissector(tvb,pkt,root)
 print("enter myproto_dissector, tvb.len:"..tostring(tvb:len()))
 if tvb:len() < 17 then return false end
 pkt.cols.protocol = "myproto"
 local t =root:add(myproto,tvb)
 t:add(f_version,tvb(0,2))
 local version = tvb(0,2).uint()
 print("version:"..tostring(version))
 return true
 end
 
 function myproto.dissector(tvb,pkt,root)
 print("enter myproto.dissector")
 if not myproto_dissector(tvb,pkt,root) then
 data_dis:call(tvb,pkt,root)
 end
 end
 
 local tbl= DissectorTable.get("media_type")
 tbl:add("application/octet-stream",myproto)
 --tbl:add("text/html",myproto) --text/html looks fine
 print("adding myproto into DissectorTable")
 end
 
 I use tshark to debugging for application/octet-stream
 
 $tshark  -r test.pcapng   |grep application/octet-stream
 108 40.536817000    10.8.0.14 -> 10.130.142.72 HTTP 418 POST /protocol?uid=101225&uid=101225&_t=1382115502 HTTP/1.1  (application/octet-stream)
 111 40.596037000 10.130.142.72 -> 10.8.0.14    HTTP 63 HTTP/1.1 200 OK  (application/octet-stream)
 120 40.657143000    10.8.0.14 -> 10.130.142.72 HTTP 445 POST /protocol?uid=101225&uid=101225&_t=1382115502    HTTP/1.1  (application/octet-stream)
 124 40.729645000 10.130.142.72 -> 10.8.0.14    HTTP 63 HTTP/1.1 200 OK  (application/octet-stream)
 219 41.810493000    10.8.0.14 -> 10.130.142.72 HTTP 488 POST /protocol?uid=101225&uid=101225&_t=1382115503 HTTP/1.1  (application/octet-stream)
 226 41.919401000 10.130.142.72 -> 10.8.0.14    HTTP 63 HTTP/1.1 200 OK  (application/octet-stream)
 
 $tshark  -r test.pcapng   -X lua_script:canon.lua | grep myproto
 adding myproto into DissectorTable
 
 for text/html
 
 $tshark  -r test.pcapng   -X lua_script:canon.lua | grep myproto
 adding myproto into DissectorTable
 enter myproto.dissector
 enter myproto_dissector, tvb.len:2
 enter myproto.dissector
 enter myproto_dissector, tvb.len:6
 enter myproto.dissector
 enter myproto_dissector, tvb.len:6
 
 
 
 Regards,
 Cong Ling
 
 ___________________________________________________________________________
 Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
 Archives:    http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
 
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
 Archives:    http://www.wireshark.org/lists/wireshark-dev
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
 |