Wireshark Lua Dissector for IEEE 802.15.4 - DissectorTable name?

Question

I'm working on a wireshark dissector in lua to dissect a custom protocol that is based on 802.15.4. Unfortunately I cannot figure out the right DissectorTable name:

table = DissectorTable.get("wpan") -- wpan does not work
table:add(0, myProto) -- I'm unsure about the first argument here

What dissector table name do I have to use to create the described dissector? and what goes as a first argument for the add function?

Thanks in advance!

EDIT

I figured out that I have to do it this way:

table = DissectorTable.get("wtap_encap")
table:add(104, myProto)

where 104 stands for 802.15.4.

I found it by looking in wireshark -> internals -> dissector table

Answer 1

To add to Martin's answer, you can also use the wtap table (which contains these integer constants) from init.lua like so:

table:add(wtap["IEEE802_15_4"], myProto)
table:add(wtap["IEEE802_15_4_NOFCS"], myProto)

From /usr/share/wireshark/init.lua (Windows: %PROGRAMFILES%\Wireshark\init.lua) :

wtap = {
    ["UNKNOWN"] = 0,
    ["ETHERNET"] = 1,
    ["TOKEN_RING"] = 2,
    ["SLIP"] = 3,
    ["PPP"] = 4,
    ["FDDI"] = 5,
    ["FDDI_BITSWAPPED"] = 6,
    ["RAW_IP"] = 7,
    ["ARCNET"] = 8,
    ["ARCNET_LINUX"] = 9,
    ["ATM_RFC1483"] = 10,
    ["LINUX_ATM_CLIP"] = 11,
    ["LAPB"] = 12,
    ["ATM_PDUS"] = 13,
    ["ATM_PDUS_UNTRUNCATED"] = 14,
    ["NULL"] = 15,
    ["ASCEND"] = 16,
    ["ISDN"] = 17,
    ["IP_OVER_FC"] = 18,
    ["PPP_WITH_PHDR"] = 19,
    ["IEEE_802_11"] = 20,
    ["PRISM_HEADER"] = 21,
    ["IEEE_802_11_WITH_RADIO"] = 22,
    ["IEEE_802_11_WLAN_RADIOTAP"] = 23,
    ["IEEE_802_11_WLAN_AVS"] = 24,
    ["SLL"] = 25,
    ["FRELAY"] = 26,
    ["FRELAY_WITH_PHDR"] = 27,
    ["CHDLC"] = 28,
    ["CISCO_IOS"] = 29,
    ["LOCALTALK"] = 30,
    ["OLD_PFLOG"] = 31,
    ["HHDLC"] = 32,
    ["DOCSIS"] = 33,
    ["COSINE"] = 34,
    ["WFLEET_HDLC"] = 35,
    ["SDLC"] = 36,
    ["TZSP"] = 37,
    ["ENC"] = 38,
    ["PFLOG"] = 39,
    ["CHDLC_WITH_PHDR"] = 40,
    ["BLUETOOTH_H4"] = 41,
    ["MTP2"] = 42,
    ["MTP3"] = 43,
    ["IRDA"] = 44,
    ["USER0"] = 45,
    ["USER1"] = 46,
    ["USER2"] = 47,
    ["USER3"] = 48,
    ["USER4"] = 49,
    ["USER5"] = 50,
    ["USER6"] = 51,
    ["USER7"] = 52,
    ["USER8"] = 53,
    ["USER9"] = 54,
    ["USER10"] = 55,
    ["USER11"] = 56,
    ["USER12"] = 57,
    ["USER13"] = 58,
    ["USER14"] = 59,
    ["USER15"] = 60,
    ["SYMANTEC"] = 61,
    ["APPLE_IP_OVER_IEEE1394"] = 62,
    ["BACNET_MS_TP"] = 63,
    ["NETTL_RAW_ICMP"] = 64,
    ["NETTL_RAW_ICMPV6"] = 65,
    ["GPRS_LLC"] = 66,
    ["JUNIPER_ATM1"] = 67,
    ["JUNIPER_ATM2"] = 68,
    ["REDBACK"] = 69,
    ["NETTL_RAW_IP"] = 70,
    ["NETTL_ETHERNET"] = 71,
    ["NETTL_TOKEN_RING"] = 72,
    ["NETTL_FDDI"] = 73,
    ["NETTL_UNKNOWN"] = 74,
    ["MTP2_WITH_PHDR"] = 75,
    ["JUNIPER_PPPOE"] = 76,
    ["GCOM_TIE1"] = 77,
    ["GCOM_SERIAL"] = 78,
    ["NETTL_X25"] = 79,
    ["K12"] = 80,
    ["JUNIPER_MLPPP"] = 81,
    ["JUNIPER_MLFR"] = 82,
    ["JUNIPER_ETHER"] = 83,
    ["JUNIPER_PPP"] = 84,
    ["JUNIPER_FRELAY"] = 85,
    ["JUNIPER_CHDLC"] = 86,
    ["JUNIPER_GGSN"] = 87,
    ["LINUX_LAPD"] = 88,
    ["CATAPULT_DCT2000"] = 89,
    ["BER"] = 90,
    ["JUNIPER_VP"] = 91,
    ["USB"] = 92,
    ["IEEE802_16_MAC_CPS"] = 93,
    ["NETTL_RAW_TELNET"] = 94,
    ["USB_LINUX"] = 95,
    ["MPEG"] = 96,
    ["PPI"] = 97,
    ["ERF"] = 98,
    ["BLUETOOTH_H4_WITH_PHDR"] = 99,
    ["SITA"] = 100,
    ["SCCP"] = 101,
    ["BLUETOOTH_HCI"] = 102,
    ["IPMB"] = 103,
    ["IEEE802_15_4"] = 104,
    ["X2E_XORAYA"] = 105,
    ["FLEXRAY"] = 106,
    ["LIN"] = 107,
    ["MOST"] = 108,
    ["CAN20B"] = 109,
    ["LAYER1_EVENT"] = 110,
    ["X2E_SERIAL"] = 111,
    ["I2C"] = 112,
    ["IEEE802_15_4_NONASK_PHY"] = 113,
    ["TNEF"] = 114,
    ["USB_LINUX_MMAPPED"] = 115,
    ["GSM_UM"] = 116,
    ["DPNSS"] = 117,
    ["PACKETLOGGER"] = 118,
    ["NSTRACE_1_0"] = 119,
    ["NSTRACE_2_0"] = 120,
    ["FIBRE_CHANNEL_FC2"] = 121,
    ["FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS"] = 122,
    ["JPEG_JFIF"] = 123,
    ["IPNET"] = 124,
    ["SOCKETCAN"] = 125,
    ["IEEE802_11_NETMON_RADIO"] = 126,
    ["IEEE802_15_4_NOFCS"] = 127,
    ["RAW_IPFIX"] = 128,
    ["RAW_IP4"] = 129,
    ["RAW_IP6"] = 130,
    ["LAPD"] = 131,
    ["DVBCI"] = 132,
    ["MUX27010"] = 133,
    ["MIME"] = 134,
    ["NETANALYZER"] = 135,
    ["NETANALYZER_TRANSPARENT"] = 136,
    ["IP_OVER_IB"] = 137
}

Answer 2

If your protocol is built on top of 802.15.4 and uses normal 802.15.4 datapackets, there is a better way to do this. The above answers completely replace the 802.15.4 dissector with a custom one. However, the 802.15.4 dissector exposes the dissection of data packet payload through a dissector table named "wpan.panid". The "pattern" passed in is the pan id for which this dissector should be used (which doesn't really make sense since 802.15.4 pan ids are not assigned, but well).

local foo = Proto("foo", "Foo dissector")

-- Register as the dissector for panid 3. Will be automatically
-- called for packets with panid 3 (picking a panid is mandatory,
-- see https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10696).
-- Can additionally be manually selected using the "Decode as..."
-- option.
table = DissectorTable.get("wpan.panid")
table:add(3, foo)

Alternatively, you can register a heuristic dissector in the "wpan" table, which will be called for all 802.15.4 payload packets. Similarly there is a "wpan.beacon" table which will be called for beacon packets.

function dissector(tvb, pinfo, tree)
-- Do stuff here
end
foo.dissector = dissector

-- Register as a heuristic dissector, that gets called for all wpan
-- packets. We'd want to pass foo.dissector here, but it turns out
-- register_heuristic needs an actual function. Passing a lambda
-- doesn't work (since calling foo.dissector(...) discards the
-- return value), so instead we define the dissector function in two
-- steps above, so we can directly access the real function here.
-- See also https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10695
foo:register_heuristic("wpan", dissector)

Here's the relevant sources for this:

https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-ieee802154.c;h=6051c84e971a629dc482722f265bb75f83b15259;hb=54aea456331825be6f802edec510e4cb2e6cc34a#l2821 https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-ieee802154.c;h=6051c84e971a629dc482722f265bb75f83b15259;hb=54aea456331825be6f802edec510e4cb2e6cc34a#l1100 https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-ieee802154.c;h=6051c84e971a629dc482722f265bb75f83b15259;hb=54aea456331825be6f802edec510e4cb2e6cc34a#l1085 https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-ieee802154.h;h=02acfd555f1154a469b4e74add2e0e9d04d6c81d;hb=54aea456331825be6f802edec510e4cb2e6cc34a#l29

Answer 3

To close this, the final solution for me looks like this:

table = DissectorTable.get("wtap_encap")
table:add(104, myProto)
table:add(127, myProto)

where 104 and 127 stands for 802.15.4 (see: wireshark -> internals -> dissector table)