Wireshark-dev: Re: [Wireshark-dev] Question for LUA dissection

From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Wed, 7 Feb 2018 19:32:30 +0100
Hey Roland,

[moved quote downwards for context]

On Wed, Feb 07, 2018 at 03:59:52PM +0100, Roland Knall wrote:
> On Wed, Feb 7, 2018 at 3:57 PM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:
>
> > On Wed, Feb 7, 2018 at 9:38 AM, Roland Knall <rknall@xxxxxxxxx> wrote:
> >
> >> Hi
> >>
> >> Just a short question.
> >>
> >> I have a protocol, which transports information via TCP. Now we have a
> >> segmented download via this protocol, which in turn is a TCP segmented
> >> transfer.
> >>
> >> I can desegment_tcp_pdus, and end up with a couple of messages with the
> >> bigger blocks, which I now need to desegment further.
> >>
> >> I am at a loss on how to do that, does anyone have an idea? In C I would
> >> use taps and display the final files somewhere else (not in the packet
> >> stream), but not really have an idea on how to do this in LUA.
> >>
> >
> > In C you could also use dissect_tcp_pdus() and get the (reassembled)
> > packet in your dissector and dissect that.
> >
>
> Yeah, the issue is, that the result of dissect_tcp_pdus is segmented, and I
> need to desegment on top of that. In C I would face the same issue, and
> there I would move to taps, as I do not need the info live

The problem with dissect_tcp_pdus (and desegment_offset/desegment_len)
is that it prevents the dissection from displaying until everything is
available.

In C, the reassembly API (epan/reassemble.h) could potentially be used
for more control over when the dissection is displayed, but the API can
be hard to use. This API is not exposed to Lua, I guess that in Lua the
best you can do now given the current API limitations is to store
fragments in a global variable (register a cleanup routine to clear this
variable when a packet capture file closes).
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl