Wireshark · Wireshark-dev: Re: [Wireshark-dev] Specifying dissectors declaratively

[Ahmad Fatoum <ahmad@xxxxxx>]

On 19Apr 2017, at 13:47, Roland Knall <rknall@xxxxxxxxx> wrote:

But in my opinion not really usable for most other protocols which include bigger state machines (like industrial ethernet protocols).

Ye, I am not looking for expressing bigger state machines, rather something that can churn out dissectors out of definitions like

coords_t := (u16 X)  (u16 Y) (u8 Z)

command := item_move | player_move  

item_move :=  (u8 0x64) (coords_t from) (coords_t to) (u8 stackpos) (u16 itemid)

player_move := (u8 0x90) (coords_t to)

(This goes on for some hundred different commands, with multiple versions for each command depending on protocol version)

- Just use Kaitai syntax but rewrite the parser as a c-library to include with wireshark

I'll consider going this route.

Thanks for your input.

Regards,

Ahmad

On Wed, Apr 19, 2017 at 11:27 AM, Ahmad Fatoum <ahmad@xxxxxx> wrote:

Hello everyone,

I want to update a game protocol dissector I wrote, and would love to be able to rewrite all those game commands in a declarative manner.
What I've found so far:

• ASN.1: asn2wrs, part of Wireshark and supports packed encoding rules (PER), but I believe it's not possible to decode an arbitrary non-ASN.1 encoded protocol [1]. Is that right?

• Wireshark Generic Dissector: A plugin that can read a DSL and dissect packets accordingly [2].

• CSjark: C structs to Lua dissectors [5].

• Kaitai Struct: A declarative language written for decoding arbitrary formats [3]. There's a basic Wireshark LUA dissector generator [4].



In essence, I want something to turn struct-like definitions for an arbitrary protocol into a dissector. Should support:
• struct pascal_string { u16 len; u8 bytes[len] };
• continue till character: e.g. for nul-terminated strings
• pattern matching: struct { u8 0x64; /* 0x64 specific fields */ }, struct { u8 0x10; /* 0x10 specific fields */ }
• arbitrary nesting thereof
• endianness specification
• code generation: The protocol in question is encrypted. So e.g. the generic dissector plugin is insufficient.

Having readily available parser generators for the format would be a huge plus. Kind of like lex/yacc, but for binary data and with a Wireshark backend.

So, what are your experiences with declaratively parsing binary data?
What are your thoughts on having a declarative format for dissectors? Have you tried it before?
If the ASN.1 support in Wireshark isn't fit for this task, what would need to be done to make it so?
Would you be interested in a kaitai2wrs generator? Or maybe another_format2wrs? I'd be willing to try.


This was raised multiple times before on the mailing list, the most extensive one being this, I think:
https://www.wireshark.org/lists/wireshark-dev/201207/msg00110.html


Nevertheless, things might have changed?


Looking forward to feedback.

Best regards,


[1]: https://wiki.wireshark.org/Asn2wrs
[2]: http://wsgd.free.fr/
[3]: http://kaitai.io/
[4]: https://github.com/joushx/kaitai-to-wireshark
[5]: https://github.com/eventh/kpro9

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

Attachment: signature.asc
Description: Message signed with OpenPGP