lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

HI all,

I'm a beginner at lua/wireshark and need some help. I've written a script that reads a packet file, creates a new protocol, and writes some packet info to a log file. It is populating the Wireshark tree correctly, but for some reason it is creating three entries for the same packet in the log file, iterating through the file three times. Why does it do this?

Script below:
Thanks in advance for any help.
Jerry
------------------------------------------------------------------------------------

WBA = Proto("myWBA", "SomosWBA")

req_appcode_tree     = ProtoField.new("WBA_header", "WBA.WBA_header", ftypes.STRING)
ac_appcode_tree     = ProtoField.new("WBA_subtype", "WBA.WBA_subtype", ftypes.STRING)

WBA.fields = {
req_appcode_tree,
ac_appcode_tree
}

-- initialize LOG file
logg = io.output("C:\\foo\\lua.log.txt", w)
logg:write("pnum,rel_time,src_port,dst_port,appcode,subcode\n")

function WBA.dissector(tvbuf, pktinfo, root)

-- set the protocol column to show our protocol name
pktinfo.cols.protocol:set("WBA")
    pktlen = tvbuf:reported_length_remaining()

tree = root:add(WBA, tvbuf:range(0,pktlen)) -- is this what makes it go three times?

--what is the level 1 transaction type?
--until I get 3 bytes of interest, munch 3 bytes at a time and look for "REQ"

start_offset = -1

repeat
if start_offset + 3 >= pktlen then
return
end
start_offset = start_offset + 1
req_header = tvbuf:range(start_offset,3)
req_header_ascii = req_header:string(ENC_ASCII)
until (req_header_ascii == "REQ")

-- found REQ, now get the whole field
tree:add_packet_field(req_appcode_tree, tvbuf:range(start_offset,7 ), ENC_ASCII)
req_appcode = tvbuf:range(start_offset,7)
req_appcode_ascii = req_appcode:string(ENC_ASCII)

-- what is the level 2 transaction type?
-- get the ac= code
-- first scan the file for "AC="

repeat
if start_offset + 3 >= pktlen then
return
end
start_offset = start_offset + 1
ac_header = tvbuf:range(start_offset,3)
ac_header_ascii = ac_header:string(ENC_ASCII)
until (ac_header_ascii == "AC=")

-- found AC=, now get the whole field
tree:add_packet_field(ac_appcode_tree, tvbuf:range(start_offset,4 ), ENC_ASCII)
ac_appcode = tvbuf:range(start_offset,4)
ac_appcode_ascii = ac_appcode:string(ENC_ASCII)

--write to the logfile
logg:write(pktinfo.number.. "," .. pktinfo.rel_ts .. "," .. pktinfo.src_port .. ","  .. pktinfo.dst_port .. "," .. req_appcode_ascii .. "," .. ac_appcode_ascii .. "\n")

-- put the app code into the wireshark info column
pktinfo.cols.info:set("APPCODE:" .. req_appcode_ascii .. ", SUBCODE:" .. ac_appcode_ascii )



end

--single port per app
DissectorTable.get("tcp.port"):add(3900, WBA)