lua - Wireshark: display filters vs nested dissectors -

i have application sends json objects on amqp, , want inspect network traffic wireshark. amqp dissector gives payload series of bytes in field amqp.payload, i'd extract , filter on specific fields in json object, i'm trying write plugin in lua that.

wireshark has dissector json, hoping piggy-back on that, , not have deal json parsing myself.

here code:

local amqp_json_p = proto("amqp_json", "amqp json payload") local amqp_json_result = protofield.string("amqp_json.result", "result") amqp_json_p.fields = { amqp_json_result } register_postdissector(amqp_json_p)  local amqp_payload_f = field.new("amqp.payload") local json_dissector = dissector.get("json")  local json_member_f = field.new("json.member") local json_string_f = field.new("json.value.string")  function amqp_json_p.dissector(tvb, pinfo, tree)    local amqp_payload = amqp_payload_f()    if amqp_payload       local payload_tvbrange = amqp_payload.range       if payload_tvbrange:range(0,1):string() == "{"          json_dissector(payload_tvbrange:tvb(), pinfo, tree)          -- far good.  let's @ json dissector came with.          local members = { json_member_f() }          local strings = { json_string_f() }          local subtree = tree:add(amqp_json_p)          k, member in pairs(members)             if member.display == 'result'                _, s in ipairs(strings)                   -- find string value inside member                   if not (s < member) , (s <= member)                      subtree:add(amqp_json_result, s.range)                      break                   end                end             end          end       end    end end 

(to start with, i'm looking @ result field, , payload i'm testing {"result":"ok"}.)

it gets me halfway there. following shows in packet dissection, whereas without plugin amqp section:

advanced message queueing protocol     type: content body (3)     channel: 1     length: 15     payload: 7b22726573756c74223a226f6b227d javascript object notation     object         member key: result             string value: ok             key: result amqp json payload     result: "ok" 

now want able use these new fields display filters, , add them columns in wireshark. following work both:

• json (shows yes when added column)
• json.value.string (i can filter json.value.string == "ok")
• amqp_json

but amqp_json.result doesn't work: if use display filter, wireshark doesn't show packets, , if use column, column empty.

why behave differently json.value.string , amqp_json.result? , how can achieve want? (it seems need custom dissector, json.value.string can filter on any member having value, not result.)

---

i found a thread on wireshark-dev mailing list ("lua post-dissector not getting field values", 2009-09-17, 2009-09-22, 2009-09-23), points interesting_hfids hash table, seems code has changed lot since then.

if you'd try this, here pcap file, base64-encoded, containing single packet:

1moyoqiabaaaaaaaaaaaaaaabaaaaaaajbi1wfyocgbjaaaaywaaab4aaabgbmeqadcgqa aaaaaaaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaab/tcwko232y46mksqgbgxtga/aaab aqgkrjdnvkywzb4daaeaaaapeyjyzxn1bhqioijvayj9zg== 

decode base64 -d (on linux) or base64 -d (on osx).