Wireshark-dev: Re: [Wireshark-dev] LUA development highlighting bytefield display with LUA
From: "Rowswell, Brent" <brent.rowswell@xxxxxxxx>
Date: Fri, 20 Jun 2008 10:05:27 -0600
Whenever I try to run the filter on the ProtoFields wireshark comes up
with an error.
I'm trying to assign the ProtoField as such:

local my_proto = Proto("MYPROTO", "myproto does some stuff")
local test = ProtoField.uint8("stuff")
my_proto.fields = test 

And the filter I'm trying to use is MYPROTO.stuff correct?


-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Luis EG
Ontanon
Sent: Friday, June 20, 2008 10:09 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] LUA development highlighting bytefield
display with LUA

On Fri, Jun 20, 2008 at 3:58 PM, Rowswell, Brent
<brent.rowswell@xxxxxxxx> wrote:
> So when you say that using a ProtoField would create a filterable 
> field, do you mean that wireshark can then filter based on some field 
> in the protocol which has the ProtoField added to it?
Yes, That's exactly it.

> If so, then what would that field be, and how would you access it?

You need to register a protocol, it's name gives you the first part of
the filters. the name of the ProtoField is the second part:


local proto = Proto.new("myproto")
local my_field1 = ProtoField.uint8("field1") local my_field2 =
ProtoField.uint8("field2")

proto.fields = {my_field1, my_field2}


that would create two display filter fields: myproto.field1 and
myproto.field2


> E.G. does that mean that when I start up my wireshark and start a 
> capture, can I then try in the filter field something like my_proto 
> contains my_field and it would then only show the packets that contain

> my_field, or did you mean something else by being filterable?

Yes that's almost what that means!

The filter would be "myproto.field1" or like "myproto.field1 == 3", not
"my_proto contains field1".

The keyword contains is for another purposeL "my_proto contains
01:02:03" whould match only if the bytes belonging to my_proto contain
the hex sequence 010203.




>
> -----Original Message-----
> From: wireshark-dev-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Luis EG 
> Ontanon
> Sent: Wednesday, June 18, 2008 10:32 AM
> To: Developer support list for Wireshark
> Subject: Re: [Wireshark-dev] LUA development highlighting bytefield 
> display with LUA
>
> mytree =  subtree:add(tvb:range(0x1), "STUFF") should work
>
> or better if you defina a protoField lets'say
>
> local pf_mine = ProtoField.uint8("my_field")
>
> ...
> mytree =  subtree:add(pf_mine, "STUFF")
>
> should not only highlight the bytes but should create a filterable 
> field "my_proto.my_filed" for the byte(s) in the tvbRange.
>
> On Wed, Jun 18, 2008 at 3:15 PM, Rowswell, Brent 
> <brent.rowswell@xxxxxxxx> wrote:
>> I've been trying to use this to get the subtrees to highlight, and so

>> far I can only get the first subtree to highlight correctly.  Here's 
>> the syntax of what I'm trying.
>>
>> local subtree = (tree:add(my_proto, tvb:range(), "my header")) -- 
>> works local mytree = (subtree:add("TEST ", tvb:range(0x1), "STUFF"))
>> -- doesn't highlight
>>
>> I know that wireshark can highlight the subtrees just by looking at 
>> the ethernet filters in the hex pane, but for some reason this isn't 
>> highlighting there.  What should I do to get this to highlight.  The 
>> way I figure this should work is the first one highlights the entire 
>> tvb, which it does, and the second should highlight all but the first

>> byte, which it doesn't.
>>
>>
>> -----Original Message-----
>> From: wireshark-dev-bounces@xxxxxxxxxxxxx
>> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Luis EG 
>> Ontanon
>> Sent: Tuesday, June 17, 2008 7:47 AM
>> To: Developer support list for Wireshark
>> Subject: Re: [Wireshark-dev] LUA development highlighting bytefield 
>> display with LUA
>>
>> Lua uses the very same API that dissectors use. For protocol tree 
>> items created with Lua (when they are given a tvbRange) the bytes in 
>> the hex dump pane get highlighted as with any other dissector.
>>
>>
>> On Mon, Jun 16, 2008 at 3:37 PM, Rowswell, Brent 
>> <brent.rowswell@xxxxxxxx> wrote:
>>> Hey there,
>>>
>>> I was wondering if there was a way to make my LUA dissector 
>>> highlight
>
>>> specific bytes in the bytefield display so that they stand out 
>>> easily,
>>
>>> such as the various portions of my header and attach these to the 
>>> subtrees that explain what they are.  I know something that does 
>>> this
>
>>> is already built into wireshark and that it works very well for 
>>> predefined message types, for instance it dissects TCP headers is a 
>>> very readable way so that you can actually see which bytes 
>>> correspond
>
>>> to the source and destination addresses.  I would like to do 
>>> something
>>
>>> similar on my own message type, so that the specific portions of my 
>>> message are easily readable after dissection.  Is there any way to 
>>> do
>> this inside my LUA script?
>>>
>>> Brent Rowswell
>>>
>>> _______________________________________________
>>> Wireshark-dev mailing list
>>> Wireshark-dev@xxxxxxxxxxxxx
>>> https://wireshark.org/mailman/listinfo/wireshark-dev
>>>
>>>
>>
>>
>>
>> --
>> This information is top security. When you have read it, destroy 
>> yourself.
>> -- Marshall McLuhan
>> _______________________________________________
>> Wireshark-dev mailing list
>> Wireshark-dev@xxxxxxxxxxxxx
>> https://wireshark.org/mailman/listinfo/wireshark-dev
>> _______________________________________________
>> Wireshark-dev mailing list
>> Wireshark-dev@xxxxxxxxxxxxx
>> https://wireshark.org/mailman/listinfo/wireshark-dev
>>
>
>
>
> --
> This information is top security. When you have read it, destroy 
> yourself.
> -- Marshall McLuhan
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-dev
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-dev
>



--
This information is top security. When you have read it, destroy
yourself.
-- Marshall McLuhan
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-dev