[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: RE: How to evaluate hex/ebcdic packet data LUA
- From: Thomas Buergel <Thomas.Buergel@...>
- Date: Mon, 24 Oct 2016 14:45:56 +0000
Not sure I understand everything right, and the Wireshark API is a bit confusing at times... but why are you trying to handle this field as string? From my reading it's 1 byte, starting at offset 19 of your buffer.
First:
> By the way, in the Wireshark tree it prints as \357\277\275,
This is the Unicode "replacement character" U+FFFD, �, rendered as UTF-8 byte sequence. I guess somewhere along the way the 0xc4 (which would indicate the start of a multi-byte sequence in UTF-8) is converted to "invalid UTF-8" (because it's not a multi-byte sequence) and ends up being replaced by the "replacement character".
> but in the Info column it displays as c4. In the hex packet display it is also c4.
> And if I do print ((string.char(0xc4))), this character prints Ä
Difference in rendering paths.
How about this (untested):
> local pf_mgi_flag = ProtoField.new("mgi_flag", "mymgi.mgi_flag", ftypes.STRING)
Change to
local pf_mgi_flag = ProtoField.uint8("mymgi.mgi_flag", "mgi_flag", base.HEX)
Some references (URL may require some reassembly):
ProtoField.uint8: https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Proto.html#lua_fn_ProtoField_uint8_abbr___name____base____valuestring____mask____desc__
Checking fields for values:
https://ask.wireshark.org/questions/20566/how-do-i-extract-buffer-values-from-a-protofield
