Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Intro and lua question

From: Michael Mann <mmann78 () netscape net>
Date: Fri, 21 Oct 2016 16:41:27 -0400

Does your protocol give the length of your variable data within the fixed header?  If so, tcp_dissect_pdus would be for 
you, but I don't immediately see how that's implemented in Lua (IANALP - I am not a Lua programmer).  I did a quick 
search through Bugzilla because I remember it being talked about, but you may also want to check the -dev archives.
 
If the variable length is not given in the fixed length packet, I'd check out 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9896.  There's a sample Lua script from Hadriel that may be way 
you're looking for.

Michael
 
 
-----Original Message-----
From: Jerry White <jerrywhite518 () gmail com>
To: wireshark-dev <wireshark-dev () wireshark org>
Sent: Fri, Oct 21, 2016 4:25 pm
Subject: [Wireshark-dev] Intro and lua question



Hi,


Quick intro: I'm Jerry White, live in the SF Bay Area. I've been a Wireshark user since the ethereal days. Also have 
pretty good experience with Riverbed SteelCentral Transaction Analyzer (aka ATX.) I used to work for OPNET/Riverbed. So 
Gerald Combs and I were co-workers. And Laura Chappell is my hero. Okay, name dropping is done, here's my question:


My coding skills are rudimentary. Perhaps a 2 out of 10. I'm writing my first lua dissector. The protocol runs under 
tcp on a certain port range. I've gotten a lot of help by following Hadriel Kaplan's sample script and youtube video.  
Everything was cool, I built a tree and put stuff into the info column in the WS gui. Now I've just learned that the 
protocol repeats itself inside of a packet. Let me give you an example:


Simple packet
<tcp header stuff><MyProto fixed length header><MyProto variable length data>


I can pull stuff out of the MyProto header and data fields just fine. If life were just these type of packets I 
wouldn't be here.


Advanced packet
<tcp header stuff><MyProto fixed length header><MyProto variable length data><MyProto fixed length header><MyProto 
variable length data><MyProto fixed length header><MyProto variable length data>



This packet has three application transactions in it. The first 8 bytes of the MyProto header are always the same, and 
I can count from there into the packet to parse out the fields I need. The problem is, since the data section is 
variable length, I don't know where to look for the next header. How do I do that in lua?


Here's my code:



function mgi.dissector(tvbuf, pktinfo, root)


        pktinfo.cols.protocol:set("SomosMGI")
        
        local pktlen = tvbuf:reported_length_remaining()
        
        local tree = root:add(mgi, tvbuf:range(0,pktlen))
        
        local info_mgi_header = tvbuf:range(0,4)
        tree:add(pf_mgi_header, tvbuf:range(0,4))
        
        local info_mgi_msg_id = tvbuf:range(9,10)
        tree:add(pf_mgi_msg_id, tvbuf:range(9,10))
        
        local info_mgi_flag = tvbuf:range(19,1)
        tree:add(pf_mgi_flag, tvbuf:range(19,1))
        
        local info_mgi_msg_type = tvbuf:range(99,7)
        tree:add(pf_mgi_msg_type, tvbuf:range(99,7))
        
        local info_mgi_msg_subtype = tvbuf:range(157,4)
        tree:add(pf_mgi_msg_subtype, tvbuf:range(157,4))


        --if info_mgi_flag ==  "c4" then
        --pktinfo.cols.info:set("HEADER=")
        --pktinfo.cols.info:append("".. info_mgi_header ..",") -- printed "7e7e7e7e"
        pktinfo.cols.info:set("MSGID=") 
        pktinfo.cols.info:append("".. info_mgi_msg_id ..",") 
        pktinfo.cols.info:append("FLAG=")
        pktinfo.cols.info:append("".. info_mgi_flag ..",")      
        pktinfo.cols.info:append("MSGTYPE=")
        pktinfo.cols.info:append("".. info_mgi_msg_type ..",")
        pktinfo.cols.info:append("SUBTYPE=")
        pktinfo.cols.info:append("".. info_mgi_msg_subtype .."")        
        --end
        
        return pktlen




Thanks for any help you can provide.
Jerry


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: