I also tried to use a similar code as in previously mentioned presentation:
===================================
wsp_extractor = Field.new("wsp")
tap = Listener.new(nil,"wsp")
function tap.packet(pinfo,tvb,userdata)
local wsp_pdu = wsp_extractor()
if wsp_pdu then
print(wsp_pdu.value)
end
end
===================================
In this case I get another error:
[string "wsp.lua"]:6: FT_ not yet supported
So I am stuck for now...
On Mon, Feb 22, 2010 at 4:23 PM, Peter Smith <[email protected]> wrote:
> Yes, that was the starting point but I have already tried numerous other
> ways to get the data out of the extracted field with no luck. I found a
> similar sample from this presentation for Sharkfest'09 available here:
> http://www.cacetech.com/sharkfest.09/DT06_Bjorlykke_Lua%20Scripting%20in%20Wireshark.pdf
>
> Here is the code sample from it:
>
> =======================
> -- Register a field value
> udp_len_f = Field.new ("udp.length")
>
> local function menuable_tap ()
> function tap.packet (pinfo, buffer, userdata)
> -- Fetch the UDP length
> local udp_len = udp_len_f()
> if udp_len and udp_len.value > 400 then
> -- Do something with big UDP packages
> end
> end
> end
> =======================
>
> Apparently the reassembled data is contained within userdata structure
> passed to tap.packet function but I could not find a way to either print or
> save that data anyhow. I have already posted on Lua list hoping to get a way
> to access the userdata type but it turned out that lua is only getting a
> pointer via this userdata type to the actual reassembled packet data. So
> there should be some wireshark specific function to access and use that
> data. Unfortunately, I spent 3 days on it already and have not found that
> function yet.
>
> Hopefully someone on wireshark list will help me here...
>
> Apparently the range method is not usefull for the reassemled packets
> because it works with tvb buffer which is a buffer for the current packet
> only so it can't access the previous packets with the rest of the
> reassembled data. I guess that's why we get those "expired tvb" errors
> when accessing previous packets...
>
>
> On Mon, Feb 22, 2010 at 4:00 PM, varname <[email protected]> wrote:
>
>> Peter Smith wrote:
>> > If the reassembled data comes from several packets I get the following
>> > error:
>> > tshark: Lua: on packet 164 Error During execution of Listener Packet
>> > Callback:
>> > expired tvb
>>
>> Using your code I was able to get to the same point (I'm basically
>> trying to do the same thing, but for HTTP packets). If any HTTP packet
>> is a reassembled one I get the same error.
>>
>> May I ask if you got the idea for this from this [1] thread on the users
>> list?
>>
>>
>> [1] http://www.wireshark.org/lists/wireshark-users/200707/msg00156.html
>>
>>
>> ___________________________________________________________________________
>> Sent via: Wireshark-dev mailing list <[email protected]>
>> Archives: http://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>> mailto:[email protected]
>> ?subject=unsubscribe
>>
>
>
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
