Wireshark-dev: [Wireshark-dev] Setting column text using a Lua plugin
From: Hadriel Kaplan <HKaplan@xxxxxxxxxxxxxx>
Date: Tue, 12 Feb 2013 00:10:38 +0000
Howdy,
Setting column text via Lua plugins by using the pinfo:set() method (the Pinfo from a Listener tap), doesn't seem to work for two reasons:
1) The TL_REQUIRES_COLUMNS flag wasn't being set when registering Lua listener taps in Listener_new().  I fixed that in my local copy.

2) Wireshark apparently calls dissectors twice: once for each packet in the list, during which it calls the taps for that packet including the Lua Listener taps; and a second time after it reaches the end of the list it apparently calls the dissectors for all the packets again but without calling the Listener taps.  Thus the column text set by a Lua listener gets overwritten by this second round of dissection, regardless of a fence being set or not.  That's for file reading mode... with live capturing it appears to dissect a few packets the first time and call their taps, but then not long after re-dissects the same previous small group of packets and thus overwrite their column text. (ie, does what file-mode does but in small chunks)

In tshark this double-dissection doesn't seem to happen in either file or live modes, and Lua successfully modifies the column text displayed by tshark.

Trying to overcome this by using retap_packets() in the Lua script doesn't work, as that will re-tap them but does not update the display.  Trying to do it in the Listener.draw() function callback won't work, because by then the packet_info is expired/gone.

So... I assume this double dissection happens for some really good reason or other.  The question is should a Lua tap listener be able to write column text or not, and if so how?  One way would be to let the Lua Listener tap be called that second time as well (seems ugly); another way is to expose some means for Lua code to access the packet list/store when Listener.draw() is called; another way is to let the packet's column data have a new setting similar to fence, that prevents re-writing by C-code dissectors.

-hadriel