This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Implementing a basic packet counter and incorrect order detector using dissectors and Lua

1

I am trying to implement, using Lua, a dissector which tells me whether the packets sent are arriving or not. To achieve this, on top of UDP I have implemented a custom protocol with a field "ID" which is auto-incremented by one on each packet.

I got the dissector to process the fields, but I am not able to make it read the previous packet ID and report whether the current packet ID is in the expected order.

My code:

packet_counter=0
function ogg.init()
  packet_counter=0
end

function ogg.dissector(buffer, pinfo, tree) local index

--Get the expected index and store it to a global (and unique per packet) variable
if (not pinfo.private.expected) then
  pinfo.private.expected=packet_counter+1
  --Get the new index (the current packet ID field)
  index=buffer(2,2):uint()
  --Set it as the new expected packet
  packet_counter=index
end

if (tree) then
  --Make all the packet processing here. Somewhere among this:
  if (tonumber(pinfo.private.expected) ~= index) then
    pinfo.cols.info = "ID: "..index.." is Invalid! Expected ".. pinfo.private.expected
  end          
end

end

I am getting several packets with the information correct, but other packets are getting the packet_counter variable different than what it should be, i.e. the previous packet was 100, current is 101, and it is saying that expected is 154, as if the processing order of the packets weren’t sequential.

What is wrong here?

asked 23 Oct ‘12, 08:31

LoPiTaL's gravatar image

LoPiTaL
16113
accept rate: 0%

edited 23 Oct ‘12, 18:18

helloworld's gravatar image

helloworld
3.1k42041

(Comment only) First, I believe you should be using a Lua tap for your purposes, not a dissector. A packet can be dissected (and re-dissected) several times in one session (e.g., clicking between packets in the Packet List Pane causes the packet to be dissected), which might be a contributor to your problem. Try a tap instead.

(23 Oct ‘12, 18:32) helloworld

Hi helloworld! Thanks for your comment. I’ve been looking for taps, but I am not able to pass info from the tap to the dissector. It seems like the dissector is processed BEFORE the tap, is this right?So at the momment of dissection,there is no information about packet ordering,thus I can’t know if it is out of order or not. Also from the tap I haven’t got the tree info, nor the GUI columns info, so I cannot print the msg “out of order” anywhere. How can this be made? Note that I want to see the information using the Wireshark GUI, not the command line version. Thanks in advance, LoPiTaL

(24 Oct ‘12, 00:48) LoPiTaL

I don’t know why the

  if (not pinfo.private.expected) then
pinfo.private.expected=packet_counter+1
–Get the new index (the current packet ID field)
index=buffer(2,2):uint()
–Set it as the new expected packet
packet_counter=index
end

didn’t worked between passes of the dissector. Somebody can help here? Finally I have worked around this with a global array variable in wich I store the same info:

    if (not out_of_order[index]) then
if index~=packet_counter+1 then
out_of_order[index]=packet_counter+1
else
out_of_order[index]=-1
end

  packet_counter=index
end</code></pre><p>and it worked pretty fine. But I have the feeling that this will be pretty memory consuming... :D Best regards, LoPiTaL</p></div><div id="comment-15213-info" class="comment-info"><span class="comment-age">(24 Oct '12, 01:58)</span> <span class="comment-user userinfo">LoPiTaL</span></div></div><span id="15238"></span><div id="comment-15238" class="comment"><div id="post-15238-score" class="comment-score"></div><div class="comment-text"><blockquote><p>It seems like the dissector is processed BEFORE the tap, is this right?</p></blockquote><p>Yes, a packet is dissected before reaching a tap. The purpose of a tap is to "listen" for packets of interest (defined by a filter), but in order to determine whether a packet is "interesting", Wireshark must first dissect it.</p></div><div id="comment-15238-info" class="comment-info"><span class="comment-age">(24 Oct '12, 21:48)</span> <span class="comment-user userinfo">helloworld</span></div></div><span id="15239"></span><div id="comment-15239" class="comment"><div id="post-15239-score" class="comment-score"></div><div class="comment-text"><blockquote><p>So at the momment of dissection,there is no information about packet ordering,thus I can't know if it is out of order or not.</p></blockquote><p>Based on your dissector code in the question, your packets contain some kind of index (sequence ID) in <code>buffer(2,2):uint()</code>. The buffer is passed to a tap, so you should be able to determine packet sequence.</p></div><div id="comment-15239-info" class="comment-info"><span class="comment-age">(24 Oct '12, 21:49)</span> <span class="comment-user userinfo">helloworld</span></div></div><span id="15240"></span><div id="comment-15240" class="comment not_top_scorer"><div id="post-15240-score" class="comment-score"></div><div class="comment-text"><blockquote><p>Also from the tap I haven't got the tree info, nor the GUI columns info, so I cannot print the msg "out of order" anywhere.</p></blockquote><p>A tap cannot modify the packet's protocol tree (in the <em>Packet Details Pane</em>), but it <em>can</em> change the packet's columns (in the <em>Packet List Pane</em>) via the <code>pinfo.cols</code> table (<code>pinfo</code> is passed to the tap).</p></div><div id="comment-15240-info" class="comment-info"><span class="comment-age">(24 Oct '12, 21:49)</span> <span class="comment-user userinfo">helloworld</span></div></div></div><div id="comment-tools-15196" class="comment-tools"><span class="comments-showing"> showing 5 of 6 </span> <a href="#" class="show-all-comments-link">show 1 more comments</a></div><div class="clear"></div><div id="comment-15196-form-container" class="comment-form-container"></div><div class="clear"></div></div></td></tr></tbody></table>

2 Answers:

2

You should be using pinfo.visited as suggested earlier.

The problem is that dissectors are running twice before your display is constructed when your wireshark opens and then ever time you click on a packet.

So you think you see pinfo.visited it always as True. Where it's not.

Have a look at this question of mine - Lua postdissector executed every time I click on a packet

Try below code ( not sure if it will work but you should get the idea )

I'd suggest keeping data in outside table.

packet_counter=0

function ogg.init() packet_counter=0 end

– Define a table your data local pkts = {}

function ogg.dissector(buffer, pinfo, tree) local index

local pkt_no = tostring(pinfo.number)

if not pinfo.visited then
    if not pkts[pkt_no] then
        pkts[pkt_no] = {}
    end
    -- add the stuff you want to keep into your table
    pkts[pkt_no][&#39;counter&#39;] = packet_counter + 1
end

index=buffer(2,2):uint()
packet_counter=index

if pkts[pkt_no] then
    pinfo.cols.info = &quot;ID: &quot;..index..&quot; is Invalid! Expected &quot;.. pkts[pkt_no][&#39;counter&#39;]
end

end

answered 31 Oct ‘12, 09:26

izopizo's gravatar image

izopizo
2024714
accept rate: 0%

0

I have no experience with Lua dissectors, but with C dissectors you can check the flag "pinfo->fd->flags.visited" whether it is the first time a frame is dissected (on the first sequential run through the packets).

You then have to create session and packet states by using conversations and per-packet data. As is described in "doc/README.developer" in paragraphs 2.2 and 2.5.

I'm sure there is an interface to these in Lua as well, but I have no experience with Lua dissectors myself unfortunately...

answered 24 Oct '12, 01:13

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 24 Oct '12, 21:26

helloworld's gravatar image

helloworld
3.1k42041

Thank you for the comment, but I checked the pinfo.visited flag in LUA, and it seems to be always set to True :(, so it does not worked for me. Where can I find the "doc/README.developer" document? In the installation dir of WireShark seems not to be. I am pretty interested with the per-packet data and the conversations information. Best regards, LoPiTaL

(24 Oct '12, 01:54) LoPiTaL

README.developer is in the Wireshark source tree (it's not installed). Lua has no specific interface for conversations, but you're welcome to submit a bug report that requests this enhancement.

(24 Oct '12, 21:32) helloworld