Wireshark mailing list archives

Re: Improve Generic Netlink family id to name mapping

From: Peter Wu <peter () lekensteyn nl>
Date: Mon, 29 Jul 2019 01:41:26 +0100

On Mon, Jul 22, 2019 at 09:22:56PM +0900, Matt wrote:

Hi,

I've recently been spending some time working with netlink/wireshark.
More precisely with a out-of-tree generic netlink protocol: the
multipath TCP netlink path manager.

I was surprised to see next to the generic netlink family id the name
of the family "mptcp" in wireshark.I've had a look at the code yet I
couldn't figure how it got the mapping from a number to the family
name.
I happen to unload/reload the linux kernel module in charge of this
netlink family, thus its id keeps changing (visible via `genl ctrl
list`). I have a lua script in charge of decoding this custom protocol
which is attached like this
====
netlink_table = DissectorTable.get("genl.family")
local ret = netlink_table:add("mptcp", mptcp_proto)
=====

but once I reload the module, wireshark is unable to map the family
name "mptcp" to the id, so my dissector is never used.


The mapping is stored here
https://github.com/wireshark/wireshark/blob/v3.1.0/epan/dissectors/packet-netlink-generic.c#L371-L378

and discovered dynamically while parsing the attributes in a single
packet. After reloading, if you capture these attributes, the mapping
should work.

What would you recommand me to work around this ? Would there be
interest in having a C/lua plugin to do the mapping (either via
netlink or by scraping genl ctrl list) ?


If you can trigger a netlink message with the attributes (perhaps using
genl-ctr-list?), Wireshark should automatically pick this up.

By the way, with Lua dissector questions, perhaps wireshark-dev would be
a more suitable place. The Lua guide has also moved from the WSUG
(User's Guide) to the WSDG (Developer's Guide) at some point. :-)
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Improve Generic Netlink family id to name mapping Matt (Jul 22)
- Re: Improve Generic Netlink family id to name mapping Peter Wu (Jul 28)