The classes and methods in this chapter allow Lua scripts to create new protocols for Wireshark objects;
Proto protocol objects can have Pref preferences, ProtoField values that can be filtered in the detail view tree, methods used to parse the new protocol, etc.
The dissection function can be linked to an existing protocol tree through a DissectorTable, so that the resolution methods of a new protocol can be invoked by it. The new dissector itself can invoke other existing protocol parsers by retrieving and invoking Dissector objects.
Proto Dissector can also be used as a post-dissector, at the end of each data frame parse, or as a heuristic dissector;
11.6.1. Dissector
A reference to the parser to invoke the parser for a packet or part of the packet;
11.6.1.1. Dissector. Get (name)
Get a parser by name;
-
parameter
-
name
The name of the parser;
-
-
The return value
- Returns a reference to the parser if it was retrieved by name, otherwise
nil;
- Returns a reference to the parser if it was retrieved by name, otherwise
11.6.1.2. Dissector. List ()
Return a Lua array containing all registered Dissector names;
Ps: This operation is expensive and should only be used for error detection.
-
The return value
- An array table with the names of registered parsers;
11.6.1.3. Dissector: call (TVB, pinfo, tree)
Invoke a parser for a given packet or part of the packet;
-
parameter
-
tvb
Buffer to be parsed (that is, message content);
-
pinfo
Information about the packet
-
tree
Protocol tree to add protocol items;
-
-
The return value
-
Number of parsed bytes;
Ps: Some parsers always return the number of bytes passed into the buffer, so be careful;
-
11.6.1.4. Dissector: __call (TVB, pinfo, tree)
Invoke a parser for a given packet or part of the packet;
-
parameter
-
tvb
Buffer to be parsed (that is, message content);
-
pinfo
Information about the packet
-
tree
Protocol tree to add protocol items;
-
11.6.1.5. Dissector: __tostring ()
Obtain the short protocol name of the Dissector.
-
The return value
- A string representing the short name of the protocol;
11.6.2. DissectorTable
A subdissector table for a particular protocol (for example, TCP’s subparsers HTTP, SMTP, and SIP were added to the table “tcp.port”);
Add more parsers to the table so they can appear in the “decoded to…” (” Decode As…” ) dialog box;
DissectorTable. New (Tablename, [Uiname], [Type], [base], [Proto])
Create a DissectorTable for your Parser to use;
-
parameter
-
tablename
A short name for the table;
Use lowercase letters, dots, underscores (e.g., “ansi_map.tele_id” or “udp.port”);
-
Uiname (Optional)
The name of the table displayed in the user interface;
The default is the value of tablename, but any string value can be assigned;
-
Type (optional)
UINT8, ftypes.uint16, ftypes.uint24, ftypes.uint32, or ftypes.string.
The default value is ftypes.uint32.
-
Base (optional)
Base-none, base-. DEC, base-. HEX, base-. OCT, base-. DEC_HEX, or base-.
The default is base.dec;
-
Proto (optional)
Use the Dissector Table Proto object;
-
-
The return value
- The newly created
dissector table;
- The newly created
11.6.2.2. DissectorTable. List ()
Get a Lua array table with all DissectorTable names – that is, you can use the resultant name string in the first argument of a DissectorTable. Get ();
Ps: This operation is expensive and should be used only for error detection.
-
The return value
- Array table with names of registered DissectorTables;
11.6.2.3. DissectorTable. Heuristic_list ()
Gets a Lua array list of all the heuristic parser names – that is, you can use the resulting name string in the first argument to Proto:register_heuristic();
Ps: This operation is expensive and should be used only for error detection.
-
The return value
- An array table containing the names of registered heuristic dissectors;
11.6.3.4. Pref. String (label, the default, descr)
Create a string preference for the proto. prefs Lua table;
-
parameter
-
label
The label of the preference (the rvalue text of the preference input);
-
default
Default values for preferences to be set in Lua;
-
descr
A description of this preference;
-
11.6.3.5. Pref.enum(label, default, descr, enum, radio)
Create an enumerated preference for the Proto. Prefs Lua table;
11.6.3.6. Example:
local OUTPUT_OFF = 0
local OUTPUT_DEBUG = 1
local OUTPUT_INFO = 2
local OUTPUT_WARN = 3
local OUTPUT_ERROR = 4
local output_tab = {
{ 1."Off" , OUTPUT_OFF },
{ 2."Debug" , OUTPUT_DEBUG },
{ 3."Information" , OUTPUT_INFO },
{ 4."Warning" , OUTPUT_WARN },
{ 5."Error" , OUTPUT_ERROR },
}
-- Create enum preference that shows as Combo Box under
-- Foo Protocol's preferences
proto_foo.prefs.outputlevel = Pref.enum(
"Output Level".-- label
OUTPUT_INFO, -- default value
"Verbosity of log output".-- description
output_tab, -- enum table
false -- show as combo box
)
-- Then, we can query the value of the selected preference.
-- This line prints "Output Level: 3" assuming the selected
-- output level is _INFO.
debug( "Output Level: ". proto_foo.prefs.outputlevel )Copy the code-
parameter
-
label
The label of the preference (the rvalue text of the preference input);
-
default
Default values for preferences to be set in Lua;
-
descr
A description of this preference;
-
enum
A Lua enumeration table;
-
radio
Radio button (true) or Combobox (false);
-
11.6.3.7. Pref.range(label, default, descr, max)
Create a numeric interval preference for the Proto. Prefs Lua table;
-
parameter
-
label
The label of the preference (the rvalue text of the preference input);
-
default
Default values for preferences to be set in Lua;
-
descr
A description of this preference;
-
max
The maximum;
-
11.6.3.8. Pref. Statictext (label, descr)
Create a static text string preference for the proto. prefs Lua table;
-
parameter
-
label
Static text;
-
descr
Static text description;
-
11.6.4. Prefs
Table of preferences for the protocol;
11.6.4.1. Prefs: __newindex (name, pref.)
Create a preference;
-
parameter
-
name
An acronym for the preference;
-
pref
A valid but unassigned Pref object;
-
-
Possible errors
- Unknown Pref type
11.6.4.2. prefs:__index(name)
Gets the value of a preference;
Example 11.6.4.3.
-- print the value of Foo's preference named "bar"
debug( "bar = ". proto_foo.prefs.bar )Copy the code-
parameter
-
name
An acronym for the preference;
-
-
The return value
- The current value of the preference;
-
Possible errors
- Unknown Pref type
11.6.5 the Proto
A new protocol in Wireshark;
These Protocols have several uses. The main one is to parse a protocol. They can also be used for other purposes as a dummy for registering preferences.
New (name, desc) during 11.6.5.1. Proto.
Create a new Proto object;
-
parameter
-
name
The name of the protocol;
-
desc
A long text description (usually in lower case) of the protocol;
-
-
The return value
- A new Proto object;
11.6.5.2. Proto: __call (name, desc)
Create a Proto object;
-
parameter
-
name
The name of the protocol;
-
desc
A long text description (usually in lower case) of the protocol;
-
-
The return value
- A new Proto object;
11.6.5.3. Proto: register_heuristic (listname, func)
A heuristic dissector function given a heuristic list name is registered for the Proto protocol;
When the method is later called, the func passed in needs to be given the following arguments:
- A Tvb object;
- A Pinfo object;
- A TreeItem object;
The method must return true if the payload applies to it, false otherwise;
The method should validate as much as possible to ensure that the payload is intended for it, parse the packet if the payload is intended for it (including setting TreeItem information, etc.), and return true or False;
Starting with version 1.99.1, the method also accepts a Dissector object as a second argument to allow a function proto.dissector(…) Object Lua code reuse. In this case, the Dissector must return a Lua number representing the number of bytes consumed/parsed: if 0 is returned, it will be treated as False for the heuristic parsing; If a positive or negative number is returned, it is treated as a heuristic True, meaning that the packet was intended for this protocol, and no other heuristic parsers will be tried.
-
parameter
-
listname
The name of the function’s heuristic list (e.g., “udp” or “infiniband. Payload “);
-
func
A Lua method that will be called to perform heuristic parsing;
-
11.6.5.4. Proto. Dissector
Mode: only for retrieval and assignment (Mode: Retrieve or assign);
The protocol’s parser, a method you define;
When the method is later called, the following parameters need to be specified:
- A Tvb object;
- A Pinfo object;
- A TreeItem object;
11.6.5.5. Proto. Prefs
Mode: for retrieval only (Mode: Retrieve only);
Preferences for the parser;
11.6.5.6. Proto. Prefs_changed
Mode: only used for assignment (Mode: Assign only);
The parser’s Preferences Changed routine, a Lua method that you define;
11.6.5.7. Proto. Init
Mode: only used for assignment (Mode: Assign only);
The parser’s initialization routine, a Lua method you define;
The init method is called without passing in any arguments;
11.6.5.8. Proto. Name
Mode: for retrieval only (Mode: Retrieve only);
Give the name of the parser;
11.6.5.9. Proto. The description
Mode: for retrieval only (Mode: Retrieve only);
Assign a description to the parser;
11.6.5.10. Proto. Fields
Mode: only for retrieval and assignment (Mode: Retrieve or assign);
The Lua table of the parser’s ProtoField;
11.6.5.11. Proto. Experts
Mode: only for retrieval and assignment (Mode: Retrieve or assign);
The Proto expert information Lua table;
11.6.6. ProtoExpert
An expert information field for a protocol, used when adding items to the parse tree;
11.6.6.1. ProtoExpert. New (abbr, text, group, severity)
Create a ProtoExpert object for protocol expert-level information notification;
-
parameter
-
abbr
Filter name of the expert info field (the string that is used in filters).
-
text
Default text for the expert field;
-
group
Expert Group type, which can be: expert.group.CHECKSUM, expert.group.SEQUENCE, expert.group.RESPONSE_CODE, expert.group.REQUEST_CODE, expert.group.UNDECODED, expert.group.REASSEMBLE, expert.group.MALFORMED, expert.group.DEBUG, expert.group.PROTOCOL, expert.group.SECURITY, expert.group.COMMENTS_GROUP, expert.group.DECRYPTION, expert.group.ASSUMPTION or expert.group.DEPRECATED.
-
severity
The Expert Severity type can be: expert.severity.COMMENT, expert.severity.CHAT, expert.severity.NOTE, expert.severity.WARN, or expert.severity.ERROR.
-
-
The return value
- A newly created ProtoExpert object;
11.6.6.2. Protoexpert: __tostring ()
Returns a string of ProtoExpert object debugging information;
11.6.7. ProtoField
A Protocol field (used when items need to be added to the parse tree);
ProtoField. New (name, abbr, type, [valueString], [base], [mask], [descr])
Create a ProtoField object for a protocol field to use;
-
parameter
-
name
The actual name of the field (the string that will appear in the parse tree);
-
abbr
The filter name for the field (the string used in the filter);
-
type
Field Type, which can be: ftypes.BOOLEAN, ftypes.CHAR, ftypes.UINT8, ftypes.UINT16, ftypes.UINT24, ftypes.UINT32, ftypes.UINT64, ftypes.INT8, ftypes.INT16, ftypes.INT24, ftypes.INT32, ftypes.INT64, ftypes.FLOAT, ftypes.DOUBLE , ftypes.ABSOLUTE_TIME, ftypes.RELATIVE_TIME, ftypes.STRING, ftypes.STRINGZ, ftypes.UINT_STRING, ftypes.ETHER, ftypes.BYTES, ftypes.UINT_BYTES, ftypes.IPv4, ftypes.IPv6, ftypes.IPXNET, ftypes.FRAMENUM, ftypes.PCRE, ftypes.GUID, ftypes.OID, ftypes.PROTOCOL, ftypes.REL_OID, ftypes.SYSTEM_ID, ftypes.EUI64 or ftypes.NONE.
-
Valuestring (Optional)
If base is base.range_string, it is a table containing the text corresponding to the value; If base is base.unit_string, it is a table of unit names with numeric values; If the field type is ftypes.FRAMENUM, it is one of FrameType. NONE, frameType. REQUEST, frameType. RESPONSE, frameType. ACK, or frameType. DUP_ACK.
-
Base (optional)
The value can be base.NONE, base.DEC, base.HEX, base.OCT, base.DEC_HEX, base.
-
Mask (optional)
The bitmask of the field;
-
Descr (optional)
A description of the field;
-
-
The return value
- A new ProtoField object;
11.6.7.2. ProtoField. Char (abbr, [name], [base], [valueString], [mask], [desc])
Create an 8-bit ASCII character ProtoField.
-
parameter
-
abbr
The acronym of the field (the string used in the filter);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Base (optional)
Can be: ‘base.NONE, base.HEX, base.
-
Valuestring (Optional)
A table containing the text corresponding to the numeric value, or if base is base.range_string, a table containing the range string value corresponding to the numeric value ({min, Max, “string”});
-
Mask (optional)
The integer mask of the field;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.3. ProtoField. Uint8 (abbr, [name], [base], [valueString], [mask], [desc])
Create an 8-bit unsigned integer ProtoField(i.e., a byte);
-
parameter
-
abbr
The acronym of the field (the string used in the filter);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Base (optional)
DEC, base-. HEX or base-. OCT, base-.dec_HEX, base-. HEX_DEC, base-.unit_string or base-.range_string.
-
Valuestring (Optional)
RANGE_STRING is either a table containing the text corresponding to the value if base is base.range_string, or a table containing the range string corresponding to the value ({min, Max, “string”}), if base is base.unit_string, Is a table containing the names of numeric units;
-
Mask (optional)
The integer mask of the field;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.4. ProtoField. Uint16 (abbr, [name], [base], [ValueString], [mask], [desc])
Create a 16-bit unsigned integer ProtoField.
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Base (optional)
DEC, base-. HEX, base-. OCT, base-.dec_HEX, base-. HEX_DEC, base-.unit_string or base-.range_string;
-
Valuestring (Optional)
RANGE_STRING is either a table containing the text corresponding to the value if base is base.range_string, or a table containing the range string corresponding to the value ({min, Max, “string”}), if base is base.unit_string, Is a table containing the names of numeric units;
-
Mask (optional)
The integer mask of the field;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
Uint24 (abbr, [name], [base], [valueString], [mask], [desc])
Create a 24-bit unsigned integer ProtoField.
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Base (optional)
DEC, base-. HEX, base-. OCT, base-. DEC_HEX, base-. HEX_DEC, base-. UNIT_STRING, or base-.
-
Valuestring (Optional)
RANGE_STRING is either a table containing the text corresponding to the value if base is base.range_string, or a table containing the range string corresponding to the value ({min, Max, “string”}), if base is base.unit_string, Is a table containing the names of numeric units;
-
Mask (optional)
The integer mask of the field;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
ProtoField. Uint32 (ABBR, [name], [base], [ValueString], [mask], [desc])
Create a 32 bit unsigned integer ProtoField.
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Base (optional)
DEC, base-. HEX, base-. OCT, base-.dec_HEX, base-. HEX_DEC, base-.unit_string or base-.range_string;
-
Valuestring (Optional)
RANGE_STRING is either a table containing the text corresponding to the value if base is base.range_string, or a table containing the range string corresponding to the value ({min, Max, “string”}), if base is base.unit_string, Is a table containing the names of numeric units;
-
Mask (optional)
The integer mask of the field;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
ProtoField. Uint64 (ABBR, [name], [base], [ValueString], [mask], [desc])
Create a 64 bit unsigned integer ProtoField.
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Base (optional)
DEC, base-. HEX, base-. OCT, base-.dec_HEX, base-. HEX_DEC, base-.unit_string or base-.range_string;
-
Valuestring (Optional)
RANGE_STRING is either a table containing the text corresponding to the value if base is base.range_string, or a table containing the range string corresponding to the value ({min, Max, “string”}), if base is base.unit_string, Is a table containing the names of numeric units;
-
Mask (optional)
The integer mask of the field;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
ProtoField. Int8 (abbr, [name], [base], [valueString], [mask], [desc])
Create an 8-bit signed integer ProtoField.
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Base (optional)
DEC, UNIT_STRING, or base.RANGE_STRING;
-
Valuestring (Optional)
RANGE_STRING is either a table containing the text corresponding to the value if base is base.range_string, or a table containing the range string corresponding to the value ({min, Max, “string”}), if base is base.unit_string, Is a table containing the names of numeric units;
-
Mask (optional)
The integer mask of the field;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
ProtoField. Int16 (abbr, [name], [base], [valueString], [mask], [desc])
Create a 16-bit signed integer ProtoField.
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Base (optional)
DEC, UNIT_STRING, or base.RANGE_STRING;
-
Valuestring (Optional)
RANGE_STRING is either a table containing the text corresponding to the value if base is base.range_string, or a table containing the range string corresponding to the value ({min, Max, “string”}), if base is base.unit_string, Is a table containing the names of numeric units;
-
Mask (optional)
The integer mask of the field;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
ProtoField. Int24 (abbr, [name], [base], [valueString], [mask], [desc])
Create a 24 bit signed integer ProtoField.
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Base (optional)
DEC, UNIT_STRING, or base.RANGE_STRING;
-
Valuestring (Optional)
RANGE_STRING is either a table containing the text corresponding to the value if base is base.range_string, or a table containing the range string corresponding to the value ({min, Max, “string”}), if base is base.unit_string, Is a table containing the names of numeric units;
-
Mask (optional)
The integer mask of the field;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
ProtoField. Int32 (abbr, [name], [base], [valueString], [mask], [desc])
Create a 32 bit signed integer ProtoField.
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Base (optional)
DEC, UNIT_STRING, or base.RANGE_STRING;
-
Valuestring (Optional)
RANGE_STRING is either a table containing the text corresponding to the value if base is base.range_string, or a table containing the range string corresponding to the value ({min, Max, “string”}), if base is base.unit_string, Is a table containing the names of numeric units;
-
Mask (optional)
The integer mask of the field;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
ProtoField. Int64 (abbr, [name], [base], [valueString], [mask], [desc])
Create a 64 bit signed integer ProtoField.
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Base (optional)
DEC, UNIT_STRING, or base.RANGE_STRING;
-
Valuestring (Optional)
RANGE_STRING is either a table containing the text corresponding to the value if base is base.range_string, or a table containing the range string corresponding to the value ({min, Max, “string”}), if base is base.unit_string, Is a table containing the names of numeric units;
-
Mask (optional)
The integer mask of the field;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
Framenum (abbr, [name], [base], [frameType], [mask], [desc])
Create a ProtoField for frame numbers (for hyperlinks between frames);
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Base (optional)
For framenum it can only be base.NONE;
-
Frametype (optional)
NONE, frameType. REQUEST, frameType. RESPONSE, frameType. ACK or frametype.DUP_ACK;
-
Mask (optional)
The integer mask of this field can only be 0 for framenum;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.14. ProtoField. Bool (abbr, [name], [display], [valueString], [mask], [desc])
Create a Boolean True/False ProtoField;
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Display (optional)
What is the width of the parent field (null-value uses base.NONE);
-
Valuestring (Optional)
A table containing text corresponding to a numeric value;
-
Mask (optional)
The integer mask of the field;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
ProtoField. Absolute_time (abbr, [name], [base], [desc])
Create a ProtoField with a Time_t structure value;
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Base (optional)
The value can be base.LOCAL, base.UTC or base.DOY_UTC;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.16. ProtoField. Relative_time (abbr, [name], [desc])
Create a ProtoField with a Time_t structure value;
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.17. ProtoField. Float (abbr, [name], [valueString], [desc])
Create a ProtoField of floating point type.
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Valuestring (Optional)
A table containing text corresponding to a numeric value;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.18. ProtoField. Double (abbr, [name], [valueString], [desc])
Create a ProtoField of type double float.
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Valuestring (Optional)
A table containing text corresponding to a numeric value;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.19. ProtoField. String (abbr, [name], [display], [desc])
Create a ProtoField of string value type;
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Display (optional)
Can be: base.ASCII or base.UNICODE;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.20. ProtoField. Stringz (abbr, [name], [display], [desc])
Create a ProtoField with a zero-terminated string value;
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Display (optional)
Can be: base.ASCII or base.UNICODE;
-
Valuestring (Optional)
A table containing text corresponding to a numeric value;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.21. ProtoField. Bytes (abbr, [name], [display], [desc])
Create a ProtoField for any number of bytes;
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Display (optional)
Base.none, base.dot, base.dash, base.colon or base.space;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.22. ProtoField. Ubytes (abbr, [name], [display], [desc])
Creates a ProtoField for any number of unsigned bytes;
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Display (optional)
Base.none, base.dot, base.dash, base.colon or base.space;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.23. ProtoField. None (abbr, [name], [desc])
Create a ProtoField with no structure type;
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Display (optional)
Base.none, base.dot, base.dash, base.colon or base.space;
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.24. ProtoField. Ipv4 (abbr, [name], [desc])
Create a ProtoField (4 bytes) for an IPv4 address;
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.25. ProtoField. Ipv6 (abbr, [name], [desc])
Create a ProtoField for IPv6 addresses (16 bytes);
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.26. ProtoField. Mr (abbr, [name], [desc])
Create a ProtoField (6 bytes) for an Ethernet address;
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.27. ProtoField. Guid (abbr, [name], [desc])
Create a ProtoField for a Globally Unique IDentifier (GUID);
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.28. ProtoField. Oid (abbr, [name], [desc])
Create a ProtoField for an ASN.1 Organizational IDentified (OID);
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.29. ProtoField. Protocol (abbr, [name], [desc])
Create a ProtoField for a subprotocol.
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.30. ProtoField. Rel_oid (abbr, [name], [desc])
Create a ProtoField for an ASN.1 relative-OID;
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.31. ProtoField. Systemid (abbr, [name], [desc])
Create a ProtoField for an OSI System ID.
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.32. ProtoField. Eui64 (abbr, [name], [desc])
Create a ProtoField for an EUI64;
-
parameter
-
abbr
Acronyms for fields (strings used in filters);
-
Name (optional)
The actual name of the field (the string that will appear in the parse tree);
-
Desc (optional)
A description of the field;
-
-
The return value
- A ProtoField object that will be added to the table set to the proto.fields property;
11.6.7.33. Protofield: __tostring ()
Returns string information for a Protofield (for debugging);
11.6.8. Global Functions provides
11.6.8.1. Register_postdissector (proto, [allfields])
Make a Proto protocol (with parsing methods) a post-dissector.
It will be called after each data frame has been parsed;
-
parameter
-
proto
The protocol to be used as the post-parser;
-
Allfields (optional)
Whether all fields are generated;
Ps: This affects performance (default false)
-
Dissect_tcp_pdus (TVB, Tree, Min_header_size, Get_len_func, Dissect_func, [desegment])
Make the TCP layer call the given Lua method for each PDU in the TCP segment, whose length is returned by the given get_len_func method;
This approach is useful for TCP-based protocols that are either fixed length or have a minimum portion that encodes a length field that can be used to identify the full length of the protocol;
For such protocols, their protocol parser method can call a Dissect_TCP_PDus () method to more easily parse their protocol messages (i.e., their protocol data units (PDUs));
This method cannot be used for protocols whose PDU length is not bound by a fixed minimum, such as HTTP or Telnet;
-
parameter
-
tvb
Parse the PDU cache;
-
tree
Parse the PDU cache;
-
min_header_size
The number of bytes in The fixed-length part of The PDU;
-
get_len_func
A Lua method that will be called by each PDU to determine the length of the entire PDU;
The called method is given:
(1) Tvb objects for the entire Tvb (may be reassembled)
(2) the Pinfo object
(3) The number of a table offset, which is the index of the PDU’s first byte (i.e., its first header byte)
-
dissect_func
A Lua method that will be called by each PDU to parse the PDU;
The called method is given:
(1) Tvb object of PDU (may be reassembled)
(2) the Pinfo object
(3) the TreeItem objects
This Lua function must return a Lua number for the number of bytes read/processed, usually Tvb:len();
-
Desegment (optional)
Whether to reassemble PDUs according to TCP data segment boundaries (default true);
-