I'm writing a custom lua dissector for a protocol. We capture the protocl with custom hardware which gives us PCAP files. The protocol consists of 64 bit packets.
The protocol has a "start transaction" bit, which indicates the start of an 8 packet transaction, and depending on where we are in that transaction parts of the packet has a different meaning, i.e. in the packet with the start transaction bit, the packet starts with a header, then the next packet contains the message code in that same spot. There are in total 8 different ways to interpret the same offset of the packet, depending on where we are in the transaction.
I want to dissect the protocol and have the field depend on where we are in the transaction.
I created a simple sequence counter variable outside the dissector function, which is reset if the transaction start bit is encountered. and it counts to 8. Depending on that counter I select which protofields I should add to the tree.
This kind of works, if I show all the different fields as columns, they have the correct values in the right places. However, when I click a packet the packet details show no or the wrong field names, depending on the order in which I click the packets. For example If I click a packet with the "transaction start" then the packet info correctly shows the data as "header". However, if I then click any other packet the field is shown as "message code".
It seems like the order for the disection in the packet info field is not fixed, it uses the order in which I click the packets, not the order in which they were captured.
Is wireshark even suited to base the way it dissects a certain packet solely on the order in which it was received?
Is wireshark even suited to base the way it dissects a certain packet solely on the order in which it was received?
Wireshark will process packets in order only on the 1st pass, and you can tell if it's the 1st time the packet is being dissected using pinfo.visited. It'll be false the 1st time a packet is dissected and true for all other times.
But that alone won't be enough; you'll also need to save the counter (1-8) of the packet so that you'll know how to dissect that particular packet again the next time the packet is dissected, which could occur at any time. With C dissectors, this is typically done using conversation constructs like conversation_add_proto_data() and conversation_get_proto_data(), but in this case, I'm not entirely sure if that's the best approach or if it's even supported with Lua dissectors. Still, it might be a good place to start? Check out doc/README.request_response_tracking or the Wireshark Lua wiki pages or inquire over at the Wireshark Q&A site for possible ideas from others in the Wireshark community. (It's been awhile since I've written Lua dissectors, and I don't recall what, if anything, is available in Lua to meet your needs.)