> On Aug 31, 2021, at 10:37 PM, Ariel Burbaickij <ariel.burbaic...@gmail.com> > wrote: > > Hello Christopher, all, > as I wrote "... to write Lua dissector...", so instructions what and how to > do on command line do not apply in this case. Meanwhile, I figured out by > myself how this is supposed to work: > > local udlt = DissectorTable.get("wtap_encap") > udlt:add(wtap.USER1, ypp) > > why not to stick to one naming convention of user_dlt
An explanation of various link-layer type indicators: Wireshark can read several file formats; they do not all use the same numerical values for any given link-layer type. pcap and pcapng files use the LINKTYPEs specified on https://www.tcpdump.org/linktypes.html The numerical values in that file appear in the headers of pcap files and the Interface Description Blocks of pcapng files. libpcap uses DLTs in its APIs. DLTs are *not* guaranteed to have the same numerical values on all platforms; historically, various OSes have given some DLTs different values on different OSes, so no program should depend on the numerical value; libpcap preserves that, for binary compatibility. The LINKTYPEs were created to provide values that *would* be guaranteed to be the same, no matter what platform the file is written on; libpcap maps between LINKTYPEs and DLTs. No current libpcap API uses LINKTYPEs. Wireshark reads more than just pcap and pcapng files, and some of the files it reads have link-layer types for which there is no corresponding LINKTYPE_ value. Therefore, it has its *own* set of link-layer types - those are the WTAP_ENCAPs. There is no guarantee that a WTAP_ENCAP that corresponds to a given LINKTYPE has the same numerical value, and there never will be such a guarantee - we don't even guarantee that the numerical values of WTAP_ENCAPs will remain the same from one Wireshark major release to another. The APIs Wireshark offers to plugins, whether they're for C or Lua plugins, use WTAP_ENCAPs, not LINKTYPEs. There is, therefore, no guarantee that 148 will work as a way to refer to WTAP_ENCAP_USER1, even though the numerical value of LINKTYPE_USER1 is 148. The same applies for all other USERn values from USER0 to USER15 - use WTAP_ENCAP_USERn, not the numerical value for LINKTYPE_USERn, in libwiretap and libwireshark APIs. The naming convention we use is that, when registering in the "wtap_encap" dissector table with the Wireshark encapsulation value WTAP_ENCAP_xxx, you use WTAP_ENCAP_xxx in C code and wtap.xxx in Lua code. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe