I'm writing a dissector for a protocol that I have to work with. This protocol runs atop TCP and is stateful.
In order to dissect the fields correctly, I need to identify which endpoint opened the TCP connection (the client).
Is there a way to get this info from the tcp dissector? Would I have to write a tap? I'm not so clear on how to do this in lua.
Cross posted on the Wireshark stack site here.
To write stateful protocol dissector in Lua you can use closures to store state information. you can easily decipher which endpoint started conversation if you analyse flags SYN/SYN+ACK for the first packets of given TCP stream # (which is generated by TCP dissector).
To make this work you should install a post dissector and check for 'tcp.stream' field.
You can checkout that technique in sources of my small Lua wireshark dissector to capture HTTP state information
