Wireshark-users: Re: [Wireshark-users] Developing a disector in Lua

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 13 Jan 2019 12:14:34 -0800
On Jan 13, 2019, at 11:56 AM, jannis.ohms2@xxxxxxxxxxx wrote:

> I want to develop a disector in Lua for a L2 IOT radio  Protocol.
> 
> I already looked at the disector. lua example.
> 
> since i want to  register my disector using the DissectorTable.get()
> method i looked in the documentation but i could not find a list of
> valid table names.

It's not listed in the documentation, but a list can be generated by running TShark.  The TShark manual page documents the "-G" option, which dumps various tables internal to Wireshark/TShark:

       −G  [ <report type> ]
           The −G option will cause Tshark to dump one of several types of
           glossaries and then exit.  If no specific glossary type is
           specified, then the fields report will be generated by default.
           Using the report type of help lists all the current report types.

           The available report types include:

		...

           dissector‐tables  Dumps a list of dissector tables to stdout.
           There is one record per line.  The fields are tab‐delimited.

            * Field 1 = dissector table name, e.g. "tcp.port"
            * Field 2 = name used for the dissector table in the GUI
            * Field 3 = type (textual representation of the ftenum type)
            * Field 4 = base for display (for integer types)
            * Field 5 = protocol name
            * Field 6 = "decode as" support

> Since I am on L2 i would  have to register on the encapsulation type of
> the captured packet

So, as this is a link-layer protocol (presumably that's what you mean by L2, i.e. the data link layer in the OSI model), presumably there isn't some other protocol on top of which it runs, and the encapsulation type would be the encapsulation type in the capture file.

If there's already a link-layer type in Wireshark for your protocol, you would register in the "wtap_encap" table using the WTAP_ENCAP_ name, but with "WTAP_ENCAP_" removed - those are defined in init.lua.

If there *isn't* already a link-layer type in Wireshark for your protocol, you would have to add one - and make the code for whatever file format your packets are stored in support that new encapsulation type; that would involve changing the core Wireshark code, not just adding new Lua code.

If there isn't already code for whatever file formats your packets are stored in, you'd have to add that as well - *that* can be done in Lua or C.