This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Piecing Together Multipart UDP messages with Lua Wireshark Dissector

0

I'm writing a Lua Wireshark Dissector to work with a protocol that I am using that is on top of UDP.

My protocol has fields to distinguish when a message is multipart, how many segments make up the message, and what the current segment is.

Everything I've seen for putting together multiple messages in Lua is on top of TCP and uses a length in bytes. So nothing really seems to help with what I need to do.

Is it possible to piece together my messages? Any ideas on how?

Thanks for the help!

asked 09 Apr '14, 06:59

nclay09's gravatar image

nclay09
1111
accept rate: 0%

One Answer:

1

There isn't a built-in way of doing it like there is for TCP. But you can write Lua code to do it. The details for how to do that depend on how your protocol is structured and how you want to show the resulting message and fields in the Packet Details view.

If you can dissect the individual fields in each UDP packet alone, without having to reassemble across UDP packets in order to dissect it, that would make life a lot easier. You can still show which set of UDP packets are related to each other, by using an ftypes.FRAMENUM typed ProtoField.

But I'm presuming you need to reassemble across UDP packets in order to then dissect some reassembled payload that your protocol is carrying... correct?

If so, this is going to be hard to explain... it would probably be easier to just write an example script and post it. :)

The basic concept is you're going to have to save packet protocol payload as ByteArrays, in a Lua table. And then reassemble them in the final packet of a fragment sequence (if all the fragments were received), by concatenating the ByteArrays and creating a new Tvb from the concatenated one; and then calling the appropriate payload dissector on the new Tvb.

You'd also check the pinfo.visited, to avoid adding to this table after the first sequential run through the capture. And you'd need to set a function into proto.init, to reset the table(s) whenever a capture is restarted or a capture file loaded.

The details, though, depend a lot on how your protocol is structured; because the first thing you need is something to use for a key in the Lua table that holds these fragments. It would be key'd by some field or combination of fields in your protocol that identifies a single reassembled "message". Usually protocols call this thing a transaction id or message id or some such. That field needs to appear in every UDP packet, be the same value for each fragment of the same message, and be unique per reassembled message. For example, for the IPv4/IPv6 protocol, it's the "identification" field. Do you have such a field in your protocol? Or some combination of fields that can be used to create such a thing? (in fact it will really be a combination... for example, you'd probably want to include the source+dest IP:port in this key, so that the same id value from/to different hosts does not collide)

Also, if you have a current script and example pcap capture file, it would help a lot if you posted it. You can post the script here, and the pcap file on cloudshark.org; or post them on the wireshark wiki. That would make explaining this stuff go faster I think.

answered 09 Apr '14, 10:39

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Thanks for the help! I do have a key that could be used, which would be the combination of two bytes. Where would the table need to be stored? I think I follow all your logic, though, as to what needs to be done.

(09 Apr '14, 10:49) nclay09

The table would just be local to your whole script - not inside a function or anything. That's why you need to set a function into proto.init to reset it, because wireshark doesn't provide anything to do that for you automatically, afaik.

(09 Apr '14, 10:53) Hadriel