ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: [Wireshark-dev] Intro and lua question

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jerry White <jerrywhite518@xxxxxxxxx>
Date: Fri, 21 Oct 2016 13:24:52 -0700
Hi,

Quick intro: I'm Jerry White, live in the SF Bay Area. I've been a Wireshark user since the ethereal days. Also have pretty good experience with Riverbed SteelCentral Transaction Analyzer (aka ATX.) I used to work for OPNET/Riverbed. So Gerald Combs and I were co-workers. And Laura Chappell is my hero. Okay, name dropping is done, here's my question:

My coding skills are rudimentary. Perhaps a 2 out of 10. I'm writing my first lua dissector. The protocol runs under tcp on a certain port range. I've gotten a lot of help by following Hadriel Kaplan's sample script and youtube video.  Everything was cool, I built a tree and put stuff into the info column in the WS gui. Now I've just learned that the protocol repeats itself inside of a packet. Let me give you an example:

Simple packet
<tcp header stuff><MyProto fixed length header><MyProto variable length data>

I can pull stuff out of the MyProto header and data fields just fine. If life were just these type of packets I wouldn't be here.

Advanced packet
<tcp header stuff><MyProto fixed length header><MyProto variable length data><MyProto fixed length header><MyProto variable length data><MyProto fixed length header><MyProto variable length data>

This packet has three application transactions in it. The first 8 bytes of the MyProto header are always the same, and I can count from there into the packet to parse out the fields I need. The problem is, since the data section is variable length, I don't know where to look for the next header. How do I do that in lua?

Here's my code:

function mgi.dissector(tvbuf, pktinfo, root)

pktinfo.cols.protocol:set("SomosMGI")
local pktlen = tvbuf:reported_length_remaining()
local tree = root:add(mgi, tvbuf:range(0,pktlen))
local info_mgi_header = tvbuf:range(0,4)
tree:add(pf_mgi_header, tvbuf:range(0,4))
local info_mgi_msg_id = tvbuf:range(9,10)
tree:add(pf_mgi_msg_id, tvbuf:range(9,10))
local info_mgi_flag = tvbuf:range(19,1)
tree:add(pf_mgi_flag, tvbuf:range(19,1))
local info_mgi_msg_type = tvbuf:range(99,7)
tree:add(pf_mgi_msg_type, tvbuf:range(99,7))
local info_mgi_msg_subtype = tvbuf:range(157,4)
tree:add(pf_mgi_msg_subtype, tvbuf:range(157,4))

--if info_mgi_flag ==  "c4" then
--pktinfo.cols.info:set("HEADER=")
--pktinfo.cols.info:append("".. info_mgi_header ..",") -- printed "7e7e7e7e"
pktinfo.cols.info:set("MSGID=")
pktinfo.cols.info:append("".. info_mgi_msg_id ..",") 
pktinfo.cols.info:append("FLAG=")
pktinfo.cols.info:append("".. info_mgi_flag ..",")
pktinfo.cols.info:append("MSGTYPE=")
pktinfo.cols.info:append("".. info_mgi_msg_type ..",")
pktinfo.cols.info:append("SUBTYPE=")
pktinfo.cols.info:append("".. info_mgi_msg_subtype .."")
--end
return pktlen


Thanks for any help you can provide.
Jerry
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube