> From: Cristian Constantin <const.crist@xxxxxxxxxxxxxx>
> Date: Fri, 15 Mar 2013 19:24:39 +0100
>
> I am trying to access from a lua script the length indictator field of
> the mtp2 protocol.
>
> 1. yes, I am sure that the capture contains ss7 mtp2 traffic
> 2. yes, I am sure that the filter selects the ss7 mtp2 traffic.
> 3. I am using wireshark:
>
> wireshark -v
> wireshark 1.8.2
I suggest you upgrade to a newer Wireshark. There were some bugs with
Lua-based Fields which were fixed in newer releases, like 1.9.0.
I don't think you've hit one of those bugs, but it may help you avoid hitting
them in the future. :)
> does anyone here know why for example this snippet:
>
> local mtp2_li_field = Field.new("mtp2.li")
>
> function tap.packet(pinfo, tvb)
> local mtp2_len = mtp2_li_field()
> print("mtp2 len:", tostring(mtp2_len))
> print("mtp2 len:", tostring(mtp2_len.value))
> end
>
> dumps something like:
>
> mtp2 len: nil
> [string "get_isup.lua"]:187: attempt to index local 'mtp2_len' (a nil value)
>
> ??
A Lua Listener tap will be executed against every packet/frame that it's
registered the type for, which by default is every frame.
So if there's even a single packet in your pcap file without a 'mtp2.li' field,
your mtp2_len variable will be nil for that execution of tap.packet() for that
packet.
Therefore my guess is you've got one or more packets in the capture that don't
have such a field.
When you do this:
print("mtp2 len:", tostring(mtp2_len.value))
You're trying to access the 'value' field of the 'mtp2_len' object, and
'mtp2_len' isn't an object but instead nil for a packet that doesn't have such
a field, and thus errors.
So you should do this instead:
function tap.packet(pinfo, tvb)
local mtp2_len = mtp2_li_field()
if mtp2_len then
print("mtp2 len:" .. tostring(mtp2_len))
print("mtp2 len:" .. tostring(mtp2_len.value))
else
print("packet #" .. pinfo.number .. " didn't have a mtp2.li field")
end
end
Another possibility is that you're parsing an Annex A MTP2 packet, or you have
"Use extended sequence numbers" enabled for the "mtp2" protocol in your
Wireshark preferences.
In that case, I think it may be possible your mtp2_len field will always be
nil, because there are *two* "mtp2.li" fields really: one using 8-bit
numbering, and a second using 16-bit numbering. Internally they're really two
separate fields, and which one gets populated depends on whether the packet is
an Annex A or not, or if the preferences dictate it or not.
When you do this:
local mtp2_len = mtp2_li_field()
I'm pretty sure Wireshark will correctly return the appropriate one as the one
and only value; but it's possible it is returning either just nil because the
first one is not filled in, or it's returning both - and if it's returning
both, then setting the value of variable 'mtp2_len' to the first returned value
from 'mtp2_li_field()' means you're getting the 8-bit one and thus probably nil.
> otoh this one:
>
> local mtp2_field = Field.new("mtp2")
>
> function tap.packet(pinfo, tvb)
> local mtp2 = mtp2_field()
> local l = string.byte(mtp2.value,3);
> end
>
> barks like this:
>
> [string "get_isup.lua"]:189: bad argument #1 to 'byte' (string
> expected, got userdata)
"mtp2" is a protocol field, I think - not a "normal" value field. Therefore,
when you do this:
local l = string.byte(mtp2.value,3);
the 'mtp2.value' retrieves a ByteArray object (one of the object types defined
by Wireshark's Lua), as opposed to a Lua string. Since the string.byte()
function expects a Lua string for its first argument, this will fail. Lua's
error message is a bit opaque because all Lua knows about the ByteArray object
is that it's a Lua userdata type, as opposed to for example a Lua number or
table type.
Since it's a ByteArray object, you can call some methods against it to get
values.
See this:
http://www.wireshark.org/docs/wsug_html_chunked/lua_module_Tvb.html#lua_class_ByteArray
For example:
function tap.packet(pinfo, tvb)
local mtp2 = mtp2_field()
local mtp2val = mtp2 and mtp2.value -- gets the value if mtp2 is not
nil/false
if mtp2val then
local l = mtp2val:get_index(3) -- gets the decimal number of third
byte
print("The third byte of the mtp2 protocol section is: " .. l)
end
end
> on a more general note, how to use lua in wireshark with binary
> protocols when lua
> lacks built-in support for working with binary values (i.e.
> pack/unpack, oct a la perl)???
>
> I mean I have found and I have used the "struct" package from here:
> http://www.inf.puc-rio.br/~roberto/struct/
>
> but in this case it does not seem to be enough…
See above - I think those might solve the problem.
If there's something you need from ByteArray that doesn't exist, or have a
use-case for byte handling that can't be solved with the current Lua API,
please submit a enhancement request bug. I wouldn't be surprised to find there
will be some such cases, but I haven't hit one myself yet. :)
-hadriel
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
