This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to disect an additional TCP Option Field?

0

Hi All,

I am new to Dissectors in Lua. I have a very good idea on how to dissect an complete header but I am not sure how to go about dissecting a sub-field. For example if I have a TCP Option which is additional to the normal options (MSS,window scale,nop,timestamp,TCP SACK - not necessarily in that order) how will I parse the option? Do I have to dissect the Options Field from the beginning or is there anyway I can start parsing from the middle (ie after the default TCP Options -MSS,etc,.)? Any help would be really appreciated!

asked 26 Sep '13, 00:16

Vinay's gravatar image

Vinay
16124
accept rate: 0%

2 Answers:

1

As far as I can understand you are looking for a custom sub-dissecting of an existing protocol. Unfortunately, Lua does not support sub-dissection (I recently came to this website with a similar problem). Dissectors in Lua (e.g. post or chained dissection) can only be called instead of, or after an existing dissection protocol.

You might be looking for a chained dissection. (Wiki Lua Dissectors)

If I misunderstood your question, can you please clarify your problem?

Best regards, Gerald

answered 26 Sep '13, 18:21

Gerald's gravatar image

Gerald
56116
accept rate: 100%

Hi Gerald,

Thank you for the pointer! It cleared alot of things for me. I had one small followup. You have got my question right. So basically I have this packet which has the TCP Options as MSS,Window Scale,NOP,timestamp,TCP SACK, and unknown. This unknown section is what I am looking to parse. When I write the chained dissector do I need to start from the beginning (parse MSS, Window Scale, etc,.) and then finally reach unknown section or is there anyway I can jump directly to the unknown section?

Regards,

Vinay

(26 Sep '13, 23:37) Vinay

If you know the exact number of bytes you want to dissect (e.g. always byte 10-13) you can dissect only those bytes with your custom dissector.

Maybe you can also use 'Field.new()' to gather some information about an existing field previous to your custom field. I don't know if you can extract, for example, the byte position.

This will leave you with something like this:

some_field_f   = Field.new("tcp.field")
tcp_proto      = Proto("customtcp","TCP Protocol")

– (Chain-)Dissector function
function tcp_proto.dissector(buf,pinfo,tree)
– Call the tcp-dissector
TCP_dissector:call(buf,pinfo,tree)
pinfo.cols.protocol = "Custom"
some_field = some_field_f()
– Extract information from some_field or
– Dissect buf(10,4) directly
end


local dissector_table = DissectorTable.get("tcp.port")
TCP_dissector = dissector_table:get_dissector(port)
dissector_table:add(port, tcp_proto)

Best regards, Gerald

(29 Sep ‘13, 17:43) Gerald

0

Why don't you update the existing protocol to fit with your custom protocol ? I had the same problem but I'm not using Lua dissector. For example I had custom field on RPL field of ipv6 protocol, I added my own code to parse them and now it work.

As I said I'm not using Lua so I'm probably totally wrong but at least I would have learned something.

answered 27 Sep '13, 05:21

Afrim's gravatar image

Afrim
160101116
accept rate: 22%