![/!\](/moin_static194/modernized/img/alert.png.pagespeed.ce.NBaG6u0RhR.png "/!\"){kind=small}
this example needs to be updtated to the current WSLUA API
A post-dissector example
Well let's say that we want to filter packets of sessions where there has been a long gap between packets.
-- max_gap.lua
-- create a gap.max field containing the maximum gap between two packets between two ip nodes
-- we create a "protocol" for our tree
max_gap_p = Protocol("gap","Gap in IP conversations")
-- we create our fields
max_gap_field = ProtoField.float("gap.max")
-- we add our fields to the protocol
max_gap_p.fields = { max_gap_field }
-- then we register max_gap_p as a postdissector
register_postdissector(max_gap_p)
gaps = {} -- the maximum gap sofar between two nodes
last = {} -- the last time a packet was seen between two nodes
-- let's do it!
function max_gap_p.dissector(tvb,pinfo,tree)
local addr_lo = pinfo.net_src
local addr_hi = pinfo.net_dst
if addr_lo > addr_hi then
addr_hi,addr_lo = addr_lo,addr_hi
end
local conv_key = tostring(addr_lo) .. " " .. tostring(addr_hi)
local this_gap = 0
local max_gap = 0
-- log_tree = ( tree:add_item(tvb,0,0,"Log") ) : add_subtree()
-- log_tree:add_item(tvb,0,0,"Key: " .. conv_key)
-- log_tree:add_item(tvb,0,0,"Visited: " .. tostring(pinfo.visited))
if not pinfo.visited then
local now = pinfo.rel_ts
-- log_tree:add_item("Now: ",now)
if last[conv_key] then
this_gap = now - last[conv_key]
-- log_tree:add_item("A subsequent Packet, Gap: ", this_gap)
if gaps[conv_key] then
max_gap = gaps[conv_key]
-- log_tree:add_item("Got Old Max Gap: " .. max_gap)
end
if max_gap < this_gap then
-- log_tree:add_item("New Gap is Bigger")
gaps[conv_key] = this_gap
max_gap = this_gap
end
else
-- log_tree:add_item("First Packet, no gap!")
end
last[conv_key] = now
else
max_gap = gaps[conv_key]
end
if max_gap then
tree:add_item(max_gap_field,max_gap)
end
end