Wireshark-bugs: [Wireshark-bugs] [Bug 10695] Lua Proto:register_heuristic should accept Dissecto
Date: Wed, 17 Dec 2014 13:59:18 +0000

Comment # 4 on bug 10695 from
> But a Proto dissector function (usually/should) behaves differently
> than a heuristic... a heuristic should just return a true/false
> boolean for whether the packet belongs to this protocol, whereas a
> dissector should parse fields and set tree items and return the number
> of bytes consumed (or number of more bytes needed).

Hmm, must have missed the return number of bytes thing in the documentation
then. However, I was under the impression that a heuristic dissector
could/should also just parse a packet and add tree items, right? AFAICS, if a
heuristic dissector returns true but doesn't actually do any parsing, then it
just prevents any other dissectors from running, leaving the packet unparsed?

> Because your lambda function doesn't return anything.  If your
> foo.dissector() returns true/false, then your lambda should be:
>
>     function(...) return foo.dissector(...) end

Ah, that was just an oversight while minimizing my example for the bug
report - I had already tested with the return statement in my original
code. Just to confirm, I just tested this:

    local foo = Proto("foo", "Foo dissector")

    function foo.dissector(tvb, pinfo, tree)
        return true;
    end

    foo:register_heuristic("wpan", function(...) return foo.dissector(...) end)

Which doesn't affect wpan packet parsing in any way. This is contrast
with:

    foo:register_heuristic("wpan", function(...) return true; end)

Which should be exactly equivalent, but leaves all wpan packets
unparsed.


> Or, you could instead simply separately create a Lua function that
> that does what you want, and then set both the Proto's dissector and
> register the heuristic to that Lua function.  For example:

Yeah, that's what I ended up doing. However, I spent quite some time
figuring out the unexpected stuff in the API before I ended up at this
solution - it would be useful if things worked more as you'd expect to
save others from going through the same in the future.


You are receiving this mail because:
  • You are watching all bug changes.