Obtaining parsed Data

11.2.1. Field

A Field extractor, used to get Field values. A field object can and can only be created outside of the callbacks of dissectors, post-Dissectors, heuristic-dissectors, and TAPS;

Once created, it can be used in the callback function to generate a FieldInfo object;

New (fieldname) during 11.2.1.1. Field.

Create a field extractor;

parameter
- fieldname
  
  The name of the field filter created (for example, ip.addr)

The return value
- A field extractor;

Possible errors
- A Field extractor must be defined before Taps or Dissectors get called

11.2.1.2. Field. The list ()

Get a Lua array table containing the names of all registered field filters;

PS: This operation costs a lot and should be used only for error detection.

The return value
- An array table containing all field filter names;

11.2.1.3. Field: the __call ()

Get all the values of the fields that called the method (see FieldInfo for details);

The return value
- All values in the field;

Possible errors
- Fields cannot be used outside dissectors or taps

11.2.1.4. Field: __tostring ()

Gets a string with the field filter name;

11.2.1.5. Field. The name

Mode: for retrieval only (Mode:Retrieve only);

The name of the field filter, null if it does not exist;

11.2.1.6. Field. The display

Mode: for retrieval only (Mode:Retrieve only);

The full display name of this field, null if not present;

11.2.1.7. Field. Type

Mode: for retrieval only (Mode:Retrieve only);

Ftype of this field is null if it does not exist.

11.2.2. FieldInfo

A field extracted from a parsed packet;

The FieldInfo object can only be used in callback functions of dissectors, post-Dissectors, heuristic dissectors, and TAPS;

FieldInfo can be called on existing Wireshark fields by using field.new () or Field() beforehand, or on new fields created from Protofields by Lua;

11.2.2.1. Fieldinfo: __len ()

Gets the length of the field;

11.2.2.2. Fieldinfo: __unm ()

Gets the offset of the field;

11.2.2.3. Fieldinfo: __call ()

Gets the value of the field;

Before version 1.11.4, this function was used to retrieve values for most field types, but in the case of ftypes.uINT_bytes, it retrieves a ByteArray of the Tvbrange available for the entire field. In other words, it returns a ByteArray that includes the length of leading Length bytes (s), not just bytes containing values. That was a Bug that was fixed in 1.11.4. In addition, the same is true for ftupes.guid;

If you still want a TvbRange ByteArray, use FieldInfo:get_range() to get it, then use Tvb: bytes() to convert it to ByteArray;

11.2.2.4. Fieldinfo: __tostring ()

A string representation of the field;

11.2.2.5. Fieldinfo: __eq ()

Check whether the LHS is within the RHS;

11.2.2.6. Fieldinfo: __le ()

Check whether the end byte of the equality lvalue (LHS) precedes the end byte of the equality RHS;

Possible errors
- Data source must be the same for both fields