I'm writing a dissector in lua for Wireshark and the only identifier for these packets are in the data that hasn't been parsed yet. I'm just not sure how to get this yet, usually it is in the tvb buffer when using a dissector, but with the other dissectors the IP or Port was the identifier not the data itself.
Asked
Active
Viewed 31 times
1 Answers
0
If it's available in the data.data field, then you can try to look into that field to see if the data is relevant to your dissector.
For an example of how this might be done, have a look at the Guacamole Post-dissector I wrote and posted on the Wireshark Guacamole wiki page.
Christopher Maynard
- 5,702
- 2
- 17
- 23
-
For me it doesn't seem to be working, how do you get the actual data with the Field object. i do "x = Field.new('data.data')" then y = x() like your file but it is always a nil value – Sam Spencer Jun 23 '23 at 15:29
-
*If it's available in the data.data field*, with *If* being the key word here. Maybe it's in `udp.payload` or `tcp.payload` or some other field? I would suggest opening a capture file in wireshark and selecting the data, then look at the status bar at the bottom of the window, and it will show you the name of the field containing the data you're interested in, then just replace `data.data` with whatever field that is. – Christopher Maynard Jun 23 '23 at 17:34