Re: Extracting multiple FieldInfo values from a Field in Lua

[Eloy Paris <peloy () chapus net>]

Hi Gerald,

On 05/10/2010 09:00 PM, Gerald Combs wrote:

> I'm trying to extract the "outer" and "inner" ip.src fields in an ICMP
> time-to-live exceeded packet using Lua. If I create a listener that runs
> the following:
>
>      ip_src_f = Field.new("ip.src")
>      local ip_src = ip_src_f()
>      local src = tostring(ip_src.value)
>
> I can only see the lowest-layer ip.src field. According to the User's
> Guide, calling a field's method obtains *all* of the FieldInfo values
> for that field. Adding a debug printf to Field__call in wslua_field.c
> shows it pushing two ip.src values into the stack for each ICMP packet,
> so Lua is presumably receiving them. Does anyone know how to access them
> within the script?
>
> The Lua API also provides a all_field_infos() function which returns the
> entire dissection tree. Are there any examples that show how to use it?

Sorry, I don't know anything about the Lua stuff in Wireshark, but I 
thought I'd share my experience in this, somehow related, area:

I faced similar challenges when making dissection results available to 
the Tcl world in the Network Expect framework. The issue is that of 
"flattening" a dissection tree into a "flat" namespace for easy access 
from the scripting language. After trying a couple of different things I 
settled on an approach that manipulates a bit the names of dissection 
fields. In other words, instead of ending up with "ip.src" as the name 
of the Tcl variable, I end up with "xxx.ip.src", where "xxx" is 
determined by traversing the tree from that node and all the way up to 
the root.

Here is an example:

netexpect> set pkt [packet new ip(dst = 192.168.1.1)/ \
>   icmp-timeexceed()/ \
>   ip(src = 172.16.0.1, dst = 10.10.10.1, ttl = 1)/ \
>   icmp-echo()/data(data = '123456') ]
10.116.188.50 -> 192.168.1.1  ICMP Time-to-live exceeded (Time to live 
exceeded in transit)
netexpect>

This creates a "packet" object (don't worry about the netexpect 
technicalities) that represents an ICMP error message generated in 
response to an ICMP echo request with a TTL that expired. So there two 
"ip.src" after dissection, the source IP of the outer layer 
(192.168.1.1) and the source IP of the original, embedded ICMP message 
(172.16.0.1).

After dissection, these two "ip.src" fields end up in two Tcl variables, 
one called "ip.src" (outer IP source) and "icmp.ip.src":

netexpect> packet dissect pkt
netexpect> set ip.src
10.116.188.50
netexpect> set icmp.ip.src
172.16.0.1

Same thing for other fields, i.e. there are "ip.ttl" and "icmp.ip.ttl", etc.

While Tcl data structures are probably as flexible as those in Lua and 
other scripting languages, I thought that having variables named like 
"xxx.ip.src" makes it easier to access them from the realm of the 
scripting language (Tcl, in the case of Network Expect), as opposed to 
accessing element #2 in an array called "ip.src".

Cheers,

Eloy Paris.-
netexpect.org
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe