Hi Kunal,
On Tue, Mar 14, 2017 at 10:37:47PM +0000, Kunal Thakrar wrote:
> The next question I had is to do with post-dissectors in Lua. Please
> correct me if I'm wrong, will they allow me to get data in the
> proto-tree section of the main Wireshark screen? At the moment I have
> packets with their source, destination ips and ports as well as packet
> numbers, will I be able to get the proto-tree data for these specific
> packets?
You can get the proto-tree data only if you "prime" the field before.
This ensures that Wireshark tries to find those fields during
dissection. In Lua you can do this using the Field.new function:
https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Field.html#lua_class_Field
This function must be called before dissection starts (otherwise the
fields are not selected for "priming". There is probably a similar
function in the C API (search for "prime"). Idea is basically the same:
Before dissection: prime fields where you are interested in
During dissection: protocols dissect normally
After dissection: post-dissector checks any fields that were primed.
I did not look into the details though, but this should be the general
idea. Hope it helps!
--
Kind regards,
Peter Wu
https://lekensteyn.nl