In diary entry “A Wireshark Lua Dissector for Fixed Field Length Protocols“, I show how to use a protocol dissector I wrote in Lua to parse TCP data.
Wireshark 4.4.0 Release Candidate 1 was released, and it allows us to use field expressions as custom columns.
This means that some of the functionality that had to be implemented with a dissector, can now just be configured.
Take this example of fields Function, Direction, Counter, DataLength and Data, as defined with my custom Lua dissector:
Similar fields can now be configured via field expressions and custom columns:
By adding custom columns and field expressions.
For example, the field Function is the first byte of the TCP payload: tcp.payload[0]
Another example: field Counter is the third and fourth byte of the TCP payload: tcp.payload[2:2]
As you can see, the column values are displayed as bytes (hexadecimal).
I have not found a way to convert this to decimal integers.
If you have a solution, please post a comment.
Didier Stevens
Senior handler
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Discover more from Cyber GRC Hive
Subscribe to get the latest posts sent to your email.