Wireshark mailing list archives
Re: Intro and lua question
From: Peter Wu <peter () lekensteyn nl>
Date: Fri, 21 Oct 2016 23:47:59 +0200
On Fri, Oct 21, 2016 at 01:24:52PM -0700, Jerry White wrote:
Hi,
[..]
Advanced packet <tcp header stuff> <MyProto fixed length header><MyProto variable length data> <MyProto fixed length header><MyProto variable length data> <MyProto fixed length header><MyProto variable length data> This packet has three application transactions in it. The first 8 bytes of the MyProto header are always the same, and I can count from there into the packet to parse out the fields I need. The problem is, since the data section is variable length, I don't know where to look for the next header. How do I do that in lua?
As Michael noted, if the length can be derived from the header, then you can use the dissect_tcp_pdus Lua function (in the C library code it is called tcp_dissect_pdus instead. It is documented at https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Proto.html Here is an example of using dissect_tcp_pdus, it has abirtrary numbers, but it should show the idea. Read mgi.dissector first, then get_mgi_length, then dissect_mgi for a better understanding. Documentations link follow, here is the code: function get_mgi_length(tvb, pinfo, offset) -- Note: tvb(...) and tvb:range(...) both create a TvbRange, -- prefer the former since it is more efficient (it saves a -- method lookup) -- When you access a TvbRange as string, then the __tostring -- method will be used which is typically not what you want. -- Therefore invoke int, string, etc. for as appropriate local msgid = tvb(offset, 4):uint() if msgid == 1234 then -- Assume this field contains the length following the header local datalen = tvb(offset + 4, 4):uint() return 19 + datalen elseif msgid == 4567 then -- Example that shows what to do if you need more bytes to -- know the actual length: the real length is stored in four -- bytes at offset 20. if tvb:reported_len() < offset + 20 + 4 then -- special value (supported since 2.0) that indicates -- that more bytes are needed to know PDU length return 0 end -- Length is definitely valid, so can safely read length now local datalen = tvb(offset + 20, 4):uint() return 19 + datalen else -- In other cases, assume just the fixed-length header return 19 end end function dissect_mgi(tvb, pinfo, tree) pktinfo.cols.info:set("MSGID=") -- note: changed from tvb:range() to tvb() local info_mgi_msg_id = tvb(9, 10) -- example of using :string() to print a hex string instead of -- some hexadecimal representation pktinfo.cols.info:append(info_mgi_msg_id:string()) -- etc. end function mgi.dissector(tvb, pinfo, tree) -- Assume that you need to know at least 19 bytes for retrieving -- the length. Then when at least 19 bytes are available, call -- get_mgi_length to find the real length. If the full data is -- available, call dissect_mgi to handle it. dissect_tcp_pdus(tvb, tree, 19, get_mgi_length, dissect_mgi) end The full reference manual of the Lua interface exposed by Wireshark is available at https://www.wireshark.org/docs/wsdg_html_chunked/wsluarm_modules.html The dissect_tcp_pdus function is documented in the "Global Functions" section at https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Proto.html -- Kind regards, Peter Wu https://lekensteyn.nl ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Intro and lua question Jerry White (Oct 21)
- Re: Intro and lua question Michael Mann (Oct 21)
- Re: Intro and lua question Peter Wu (Oct 21)
- Re: Intro and lua question Maynard, Chris (Oct 24)