Lua dissector is not invoked when using tshark (Windows 10)

0
votes

I already posted this question in the Wireshark community (Link), currently there are no answers yet.

I have a bunch of dissectors I wrote in Lua, which I used in the Wireshark GUI so far - now I want to use them with tshark (under Windows 10). The problem is that one of my dissectors does not work when invoked in tshark (even though it gets initialized). tshark does not output any packets at all, even though all other dissectors are working fine. I am calling the dissector from one of my other dissectors with 

[...]
info("calling dissector")
Dissector.get("myproto"):call(payload_tvb, packet_info, tree)

while the dissector itself looks like: 

function myproto.init()
    info("Initialization of myproto dissector")
end
function myproto.dissector(buffer, packet_info, tree)
    info("dissector successfully called")
    [...]
end

Nothing special, actually. From the log, I can see that the dissector gets initialized. But when I open a .pcapng file with tshark, then the log message "dissector successfully called" never gets printed, while in the Wireshark GUI, it does.

I am not seeing any error message, so I have no clue what the issue might be. The getDissector function call does not return nil, I checked that. The lua files are placed in my AppData\Roaming\Wireshark\plugins directory, and tshark does not seem to have a problem finding them there. Does anybody have an idea what might be wrong with this dissector? Any help is appreciated, thanks in advance.

2
luawiresharktsharkwireshark-dissector

2 Answers

0
votes

I'm not familiar with getDissector(); shouldn't you be using Dissector.get?

For example, my lua dissectors all do things like so:

local data_handle = Dissector.get("data")

function my_proto.dissector(tvb, pinfo, tree)

    ...

    data_handle:call(...)

end

I'm not sure why it's not working for you, but I can provide a working example that might help you. Below are 2 silly dissectors, foo.lua and bar.lua. You can use the foo.pcapng sample capture file posted on cloudshark if you wish to test it out. (I posted it long ago as an example to this question on ask.wireshark.org.)

First, foo.lua:

-- foo.lua
local p_foo = Proto("foo", "FOO Protocol")

local f_foo_val8 = ProtoField.uint8("foo.val8", "Value 8", base.OCT)
local f_foo_val16 = ProtoField.uint16("foo.val16", "Value 16", base.DEC)
local f_foo_val32 = ProtoField.uint32("foo.val32", "Value 32", base.HEX)
local f_foo_ipv4 = ProtoField.ipv4("foo.ipv4", "IPv4 Address")
local f_foo_ipv6 = ProtoField.ipv6("foo.ipv6", "IPv6 Address")

p_foo.fields = { f_foo_val8, f_foo_val16, f_foo_val32, f_foo_ipv4, f_foo_ipv6 }

bar_handle = Dissector.get("bar")

function p_foo.dissector(buf, pinfo, tree)
    local foo_tree = tree:add(p_foo, buf(0,-1))

    pinfo.cols.protocol:set("FOO")
    foo_tree:add(f_foo_val8, buf(0, 1))
    foo_tree:add(f_foo_val16, buf(1, 2))
    foo_tree:add(f_foo_val32, buf(3, 4))
    foo_tree:add(f_foo_ipv4, buf(7, 4))
    foo_tree:add(f_foo_ipv6, buf(11, 16))

    bar_handle:call(buf, pinfo, tree)
end

local udp_table = DissectorTable.get("udp.port")
udp_table:add(33333, p_foo)
-- end of foo.lua

... and now bar.lua:

local p_bar = Proto("bar", "BAR Protocol")

function p_bar.dissector(buf, pinfo, tree)
    pinfo.cols.info:append(", BAR")
end
-- end of bar.lua

OK, so the general idea here is that foo.lua does its normal dissection as my example originally provided, but it now also calls the bar dissector, which is really simple and just appends "BAR" to the info column so you know it was called. In my testing, this all works as expected. Perhaps this simple example will help you?

0
votes

You need to pass the lua file to tshark using the -X command line argument.

The scripts load automatically when you open wireshark but not when you run tshark.