Wireshark dissector scans packet file three times

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Wireshark dissector scans packet file three times

Jerry White
HI all,

I'm a beginner at lua/wireshark and need some help. I've written a script that reads a packet file, creates a new protocol, and writes some packet info to a log file. It is populating the Wireshark tree correctly, but for some reason it is creating three entries for the same packet in the log file, iterating through the file three times. Why does it do this?

Script below:
Thanks in advance for any help.
Jerry
------------------------------------------------------------------------------------

WBA = Proto("myWBA", "SomosWBA")

req_appcode_tree     = ProtoField.new("WBA_header", "WBA.WBA_header", ftypes.STRING)
ac_appcode_tree     = ProtoField.new("WBA_subtype", "WBA.WBA_subtype", ftypes.STRING)

WBA.fields = {
req_appcode_tree,
ac_appcode_tree
}

-- initialize LOG file
logg = io.output("C:\\foo\\lua.log.txt", w)
logg:write("pnum,rel_time,src_port,dst_port,appcode,subcode\n")

function WBA.dissector(tvbuf, pktinfo, root)

-- set the protocol column to show our protocol name
pktinfo.cols.protocol:set("WBA")
    pktlen = tvbuf:reported_length_remaining()

tree = root:add(WBA, tvbuf:range(0,pktlen)) -- is this what makes it go three times?

--what is the level 1 transaction type?
--until I get 3 bytes of interest, munch 3 bytes at a time and look for "REQ"

start_offset = -1

repeat
if start_offset + 3 >= pktlen then
return
end
start_offset = start_offset + 1
req_header = tvbuf:range(start_offset,3)
req_header_ascii = req_header:string(ENC_ASCII)
until (req_header_ascii == "REQ")

-- found REQ, now get the whole field
tree:add_packet_field(req_appcode_tree, tvbuf:range(start_offset,7 ), ENC_ASCII)
req_appcode = tvbuf:range(start_offset,7)
req_appcode_ascii = req_appcode:string(ENC_ASCII)

-- what is the level 2 transaction type?
-- get the ac= code
-- first scan the file for "AC="

repeat
if start_offset + 3 >= pktlen then
return
end
start_offset = start_offset + 1
ac_header = tvbuf:range(start_offset,3)
ac_header_ascii = ac_header:string(ENC_ASCII)
until (ac_header_ascii == "AC=")

-- found AC=, now get the whole field
tree:add_packet_field(ac_appcode_tree, tvbuf:range(start_offset,4 ), ENC_ASCII)
ac_appcode = tvbuf:range(start_offset,4)
ac_appcode_ascii = ac_appcode:string(ENC_ASCII)

--write to the logfile
logg:write(pktinfo.number.. "," .. pktinfo.rel_ts .. "," .. pktinfo.src_port .. ","  .. pktinfo.dst_port .. "," .. req_appcode_ascii .. "," .. ac_appcode_ascii .. "\n")

-- put the app code into the wireshark info column
pktinfo.cols.info:set("APPCODE:" .. req_appcode_ascii .. ", SUBCODE:" .. ac_appcode_ascii )



end

--single port per app
DissectorTable.get("tcp.port"):add(3900, WBA)



Reply | Threaded
Open this post in threaded view
|

Re: Wireshark dissector scans packet file three times

Thijs Schreijer


On 5 Jun 2019, at 01:36, Jerry White <[hidden email]> wrote:

HI all,

I'm a beginner at lua/wireshark and need some help. I've written a script that reads a packet file, creates a new protocol, and writes some packet info to a log file. It is populating the Wireshark tree correctly, but for some reason it is creating three entries for the same packet in the log file, iterating through the file three times. Why does it do this?

Script below:
Thanks in advance for any help.
Jerry
——————————————————————————————————————————

No Wireshark expert, but your code looks to be procedural (top to bottom). So the only thing imo that would cause it to log 3 times, would be that Wireshark calls this code 3 times. So this doesn’t look like a Lua problem to me.

But to figure out why that is, you probably have to check Wireshark docs/community.

Hth
Thijs
Reply | Threaded
Open this post in threaded view
|

Re: Wireshark dissector scans packet file three times

Jerry White
Ah, the Wireshark dev list. Thanks for the reminder! 

Jerry


No Wireshark expert, but your code looks to be procedural (top to bottom). So the only thing imo that would cause it to log 3 times, would be that Wireshark calls this code 3 times. So this doesn’t look like a Lua problem to me.

But to figure out why that is, you probably have to check Wireshark docs/community.

Hth
Thijs