A Field extractor to obtain field values. A Field
object can only be created outside of
the callback functions of dissectors, post-dissectors, heuristic-dissectors, and taps.
Once created, it is used inside the callback functions, to generate a FieldInfo
object.
Create a Field extractor.
The field extractor
Gets a Lua array table of all registered field filter names.
Note | |
---|---|
This is an expensive operation, and should only be used for troubleshooting. |
The array table of field filter names
An extracted Field from dissected packet data. A FieldInfo
object can only be used within
the callback functions of dissectors, post-dissectors, heuristic-dissectors, and taps.
A FieldInfo
can be called on either existing Wireshark fields by using either Field.new()
or Field()
before-hand, or it can be called on new fields created by Lua from a ProtoField
.
Obtain the Value of the field.
Previous to 1.11.4, this function retrieved the value for most field types,
but for ftypes.UINT_BYTES
it retrieved the ByteArray
of the field’s entire TvbRange
.
In other words, it returned a ByteArray
that included the leading length byte(s),
instead of just the value bytes. That was a bug, and has been changed in 1.11.4.
Furthermore, it retrieved an ftypes.GUID
as a ByteArray
, which is also incorrect.
If you wish to still get a ByteArray
of the TvbRange
, use fieldinfo.range
to get the TvbRange
, and then use tvbrange:bytes()
to convert it to a ByteArray
.
Checks whether the end byte of lhs is before the end of rhs.
Checks whether the end byte of lhs is before the beginning of rhs.
Mode: Retrieve only.
The internal field type, a number which
matches one of the ftype
values.
Mode: Retrieve only.
The source Tvb
object the FieldInfo
is derived
from, or nil if there is none.
Mode: Retrieve only.
The TvbRange
covering the bytes of this field in a Tvb or nil if there is none.
Mode: Retrieve only.
Whether this field was marked as generated (boolean).
Mode: Retrieve only.
Whether this field was marked as being a URL (boolean).
Mode: Retrieve only.
Whether this field is little-endian encoded (boolean).
Mode: Retrieve only.
Whether this field is big-endian encoded (boolean).
Obtain all fields from the current tree. Note this only gets whatever fields the underlying dissectors have filled in for this packet at this time - there may be fields applicable to the packet that simply aren’t being filled in because at this time they’re not needed for anything. This function only gets what the C-side code has currently populated, not the full list.