I have a protocol that is built on UDP and that is partly dissected by a third party dll in Wireshark. I now want to create a custom dissector to apply to the remaining field "data".
Is it possible to do so and should I use a dissector, post-dissector or a listener or a combination of them to accomplish this? Or do I have to re-write the third party dissector to one that calls my dissector on the remaining data?
As John Zwinck mentioned, you probably do want something like a chained dissector, which you can manage fairly straightforwardly in either Lua or C. To that end, you certainly do want to implement your logic as a dissector. In Lua, something like this:
do
--TODO set up your extra "data" field
local tcp_table = DissectorTable.get("tcp.port")
local third_party_dissector tcp_table:get_dissector(PROTO_PORT)
function your_protocol.dissector(tvb, pinfo, tree)
--call the third party dissector
third_party_dissector:call(tvb, pinfo, tree)
--TODO do what you need with the data
end
--take over the port your protocol runs over
tcp_table_add(PROTO_PORT, your_protocol)
end
Keep the API on hand, but keep in mind also that Lua dissectors in Wireshark are really just for prototyping; they are less efficient than equivalent C-based dissectors, and the API tends to lag several versions behind the C dissection API.
When I wanted to do something like this I found it surprisingly complex and unpleasant (relative to Lua dissector development in general). There is some mention of "chained dissectors" here: http://wiki.wireshark.org/Lua/Dissectors . From what I read (I never did get mine working, but I didn't try too hard), it seems easier to make chained dissectors in C than in Lua. Still, try following the example on that page, which thankfully has enough comments to make it pretty clear.
