Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to use Lua field extractor in Wireshark?

Tags:

wireshark

lua

I have a protocol like this
"Packet" - A sequence of messages
{Head}{Content}{Head}{Content}...

"Head" - 1 byte
bit 1-7 : msg length
bit 8 : true msg or not

It is a udp communication, I have to use that bit 8 to determine if I need to skip the message.
Following is my toy parser, the Problem I am facing is how to extract the bool value helping me to make the decision.

TOY_proto = Proto("TOY", "TOY Protocol")

local isSkip = ProtoField.new("Is Skip?", "mytoy.isSkip", ftypes.BOOLEAN, {"Yes", "No"}, 8, 0x01)
local msgLen = ProroField.new("Message Length", "mytoy.msgLen", ftypes.UINT8, nil, base.DEC, 0xFE)

TOY_proto.fields = {isSkip, msgLen}

local isSkip_Field = Field.new("mytoy.isSkip")
local function getIsSkip()
    return isSkip_Field()()
end
local msgLen_Field = Field.new("mytoy.msgLen")
local function getMsgLen()
    return msgLen_Field()()
end

function TOY_proto.dissector(tvbuf, pktinfo, root)
    pktinfo.cols.protocol = "TOY"
    local pktlen = tvbuf:reported_length_remaining()
    local pos = 0

    while pos < pktlen do
        local headTree = tree:add("Head")
        headTree:add_le(isSkip, tvbuf:range(pos,1))
        headTree:add_le(msgLen, tvbuf:range(pos,1))
        if getIsSkip() then
            pos = pos + getMsgLen()
        else
            -- do something else
        end
    end
end
udp_table = DissectorTable.get("udp.port")
udp_table:add(6628, TOY_proto)

The Problem is that in the first loop, every variable is doing right, but after the first loop, the value returned from getIsSkip() and getMsgLen() are always unchanged.

like image 795
sflee Avatar asked Nov 27 '25 23:11

sflee

1 Answers

When you do this:

return isSkip_Field()()

What you're really doing is logically equivalent to this:

-- extract the FieldInfo object using the Field object "isSkip_Field"
local tempFieldInfo = isSkip_Field()

-- get the Lua boolean value of the FieldInfo object
local tempValue = tempFieldInfo()

-- return it
return tempValue

I mention the above to explain why you're getting what you're getting later in this answer...

When you invoke a field extractor (i.e., you call a Field object to get a FieldInfo object), you actually get back every FieldInfo object of that Field's type that exists in that packet at the time the extractor is invoked. Your packet contains multiple "messages" of your protocol, so in each loop you get back the previous loops' FieldInfo objects as well as the current one, for the same packet.

In other words, when your script executed this:

return isSkip_Field()()

...the first time for a packet, it got back one FieldInfo object, called that, and got the boolean. When it ran the second time, the call to isSkip_Field() actually returned two FieldInfo objects, but it discarded the second one because the code is logically equivalent to the code I wrote at the top of this answer, and instead only called the first instance, which of course rteturns the same boolean value as the first loop iteration; and when it ran a third time for the same packet it returned three FieldInfo objects, discarded the second two, called the first one, etc.

So what you really want to do is select the correct FieldInfo object each loop iteration - namely the most recent (last) one. You can do that one of two ways: (1) using the Lua select() function, or (2) put the returned FieldInfo objects into a table and retrieve the last entry.

For example, do this:

local isSkip_Field = Field.new("mytoy.isSkip")
local function getIsSkip(num)
    return select(num, isSkip_Field())()
end
local msgLen_Field = Field.new("mytoy.msgLen")
local function getMsgLen(num)
    return select(num, msgLen_Field())()
end

function TOY_proto.dissector(tvbuf, pktinfo, root)
    pktinfo.cols.protocol = "TOY"
    local pktlen = tvbuf:reported_length_remaining()
    local pos = 0

    local num = 1
    while pos < pktlen do
        local headTree = tree:add("Head")
        headTree:add_le(isSkip, tvbuf:range(pos,1))
        headTree:add_le(msgLen, tvbuf:range(pos,1))
        if getIsSkip(num) then
            pos = pos + getMsgLen(num)
        else
            -- do something else
        end
        num = num + 1
    end
end

...or this:

local isSkip_Field = Field.new("mytoy.isSkip")
local function getIsSkip()
    local tbl = { isSkip_Field() }
    return tbl[#tbl]()
end
local msgLen_Field = Field.new("mytoy.msgLen")
local function getMsgLen()
    local tbl = { msgLen_Field() }
    return tbl[#tbl]()
end

function TOY_proto.dissector(tvbuf, pktinfo, root)
    pktinfo.cols.protocol = "TOY"
    local pktlen = tvbuf:reported_length_remaining()
    local pos = 0

    while pos < pktlen do
        local headTree = tree:add("Head")
        headTree:add_le(isSkip, tvbuf:range(pos,1))
        headTree:add_le(msgLen, tvbuf:range(pos,1))
        if getIsSkip() then
            pos = pos + getMsgLen()
        else
            -- do something else
        end
    end
end

...or if there are going to be lots of Fields, this might be nicer:

local isSkip_Field = Field.new("mytoy.isSkip")
local msgLen_Field = Field.new("mytoy.msgLen")

local function getFieldValue(field)
    local tbl = { field() }
    return tbl[#tbl]()
end

function TOY_proto.dissector(tvbuf, pktinfo, root)
    pktinfo.cols.protocol = "TOY"
    local pktlen = tvbuf:reported_length_remaining()
    local pos = 0

    while pos < pktlen do
        local headTree = tree:add("Head")
        headTree:add_le(isSkip, tvbuf:range(pos,1))
        headTree:add_le(msgLen, tvbuf:range(pos,1))
        if getFieldValue(isSkip_Field) then
            pos = pos + getFieldValue(msgLen_Field)
        else
            -- do something else
        end
    end
end
like image 153
hadriel Avatar answered Nov 30 '25 16:11

hadriel

Sign in to Comment

Related questions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!