This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

When i use customed dissector to parse data field in LLC, I found the dissector not be called. Can anyone help me about how to make it work? thx

qos-llc-data-proto = Proto ("qos-llc-data", "qos test llc data", "protocol qos test llc data")

.....

qos-llc-data-proto.fields = { f-llc-u8-type, f-llc-u16-sequence, f-llc-u32-tick, f-llc-u8-priority, f-llc-bytes-data }

function qos-llc-data-proto.dissector(buffer,pinfo,tree)
{
...  
}

local my-dsap = 68

local llc-table = DissectorTable.get("llc.dsap")

llc-table:add(68, qos-llc-data-proto)

alt text

asked 28 Jul '14, 08:20

wireshark_xg's gravatar image

wireshark_xg
1223
accept rate: 0%

edited 28 Jul '14, 08:51

grahamb's gravatar image

grahamb ♦
19.8k330206

I assume your code example is fake, rather than from the real script code, since it uses illegal variable names. (dashes are illegal in names) But the general concept of the script appears ok.

Some basic questions:

  1. Do you know that your script is actually being loaded at all? For example if you put a syntactic error in it does wireshark error trying to load it, or if you put a print statement in it does it print when wireshark loads?

  2. Is your packet the right kind of packet for that "llc.dsap" table - I don't know anything about LLC packets, but it appears that "llc.dsap" table only gets looked up for specific xDLC packets, for control information types. It looks like your example packet in the capture above is the right type, but I don't know for sure.

  3. Can you post the capture file somewhere? Like on cloudshark or someplace public?

(28 Jul '14, 14:59) Hadriel

Hi Hadriel, Sorry for not describe it clearly.

1.Following is detailed code.

qos_llc_data_proto = Proto ("qos-llc-data", "qos test llc data", "protocol qos test llc data")

local f_llc_u8_type = ProtoField.uint8("qos-llc-data.type", "type", base.DEC)
local f_llc_u16_sequence = ProtoField.uint16("qos-llc-data.sequence", "sequence", base.DEC)
local f_llc_u32_tick = ProtoField.uint32("qos-llc-data.tick", "tick", base.DEC)
local f_llc_u8_priority = ProtoField.uint8("qos-llc-data.priority", "priority", base.DEC)
local f_llc_bytes_data = ProtoField.bytes("qos-llc-data.bytesData", "data", base.DEC)

qos_llc_data_proto.fields = { f_llc_u8_type, f_llc_u16_sequence, f_llc_u32_tick, f_llc_u8_priority, f_llc_bytes_data }
f_proto = DissectorTable.new("gnunet.proto", "Gnunet Protocoll", FT_UINT16, BASE_DEC)

function qos_llc_data_proto.dissector(buffer,pinfo,tree)
    pinfo.cols.protocol:set("qos-test-llc-data")

    pinfo.cols.info:set("qos test llc data")

    local buffer_len = buffer:len()
    local myProtoTree = tree:add(qos_llc_data_proto, buffer(0, buffer_len), "qos-test-llc-data")

    buffer:len_asdf()

    local offset = 0
    myProtoTree:add_le(f_llc_u8_type, buffer(offset, 1))
    offset = offset + 1

    myProtoTree:add_le(f_llc_u16_sequence, buffer(offset, 2):uint())
    offset = offset + 2

    myProtoTree:add_le(f_llc_u32_tick, buffer(offset, 4):uint())
    offset = offset + 4

    myProtoTree:add_le(f_llc_u8_priority, buffer(offset, 1))
    offset = offset + 1

    myProtoTree:add_le(f_llc_bytes_data, buffer(offset, (buffer_len - offset)))
end

local my_dsap = 68 
local llc_table = DissectorTable.get("llc.dsap")
llc_table:add(68, qos_llc_data_proto)

2 From picture, you can find size of LLC packet is 1052, so i want to parse its data field as above code. I don't how to add my dissector to it or how to parse it. I already use similar dissector and add it to port of UDP, and it can works well.

(28 Jul '14, 15:28) wireshark_xg
  1. I already checked that llc_table is not nil after it is get from DissectorTable.get("llc.dsap").
  2. From picture, you can find DSAP field of packet is 0x44.
(28 Jul '14, 15:31) wireshark_xg
  1. I tried add some error in dissector function qos_llc_data_proto.dissector(buffer,pinfo,tree), find the dissector is not loaded. I don't know why?
(28 Jul '14, 16:30) wireshark_xg

What kind of error did you try to introduce in the dissector? The error needs to be a syntactic Lua error, as opposed to just accessing an invalid/non-existent function (for example). Because during load the script is parsed by the Lua interpreter, but the dissector function code isn't actually executed yet until later. So the error needs to be something fundamentally invalid in Lua language. For example, just put the word "foobar" on a line, even outside the dissector function... like at the top of your script.

(29 Jul '14, 07:30) Hadriel

If the script file itself isn't being loaded, how did you try loading it? Did you put it in the appropriate plugins directory to be auto-loaded, or are you trying to load it using dofile(), or what?

(29 Jul '14, 07:32) Hadriel

it appears that "llc.dsap" table only gets looked up for specific xDLC packets, for control information types

It's used for I and UI frames, rather than S frames or UI frames other than UI frames.

It looks like your example packet in the capture above is the right type

"Control field: I" indicates that it's an I frame, so, yes, it's the right type, at least in Wireshark 1.10 and later (I don't know whether earlier versions supported it only for U frames).

(29 Jul '14, 13:34) Guy Harris ♦♦

Which version of Wireshark is this?

(29 Jul '14, 13:34) Guy Harris ♦♦

Thank you for your reply. If i add some error line outside dissector function, when wireshark is started, there is error reported. But if i just add error line into dissector function, there is no error reported. As you said, dissector function is executed when parse real network data. So it means that my dissector is not executed really. So my question is it how to parse LLC data field in my case.

(30 Jul '14, 15:48) wireshark_xg

I find the reason why dissector not call. When reading source code of wireshark, i found following code.

        if (XDLC_IS_INFORMATION(control)) {
                /*
                 * Non-SNAP I or UI frame.
                 * Try the regular LLC subdissector table
                 * with the DSAP.
                 */
               if (!dissector_try_uint(dsap_subdissector_table,
                    dsap, next_tvb, pinfo, tree)) {
                    call_dissector(data_handle, next_tvb,
                        pinfo, tree);
                }
        }

#define XDLC_IS_INFORMATION(control) \
    (((control) & XDLC_I_MASK) == XDLC_I || (control) == (XDLC_UI|XDLC_U))

From above code, if XDCL is information, then dsap dissector will called. But from ftype of my frame, it is one XDCL_S which means Supervisory frame. So dsap dissector will not call. So the question is how to parse data filed of LLC. I don't how to add my dissector after parse LLC? In the page http://wiki.wireshark.org/Lua/Dissectors, it gives examples. But which type can be used in my case? thx

(30 Jul '14, 17:47) wireshark_xg

To quote IEEE Std 802.2-2008 section 5.4.2.2 "Supervisory format commands and responses":

PDUs with the S format shall not contain an information field

Therefore, there is nothing to hand to a dissector - there IS no data field in an S frame! - so we don't call dissectors for S frames.

(30 Jul '14, 18:00) Guy Harris ♦♦
showing 5 of 11 show 6 more comments
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×431
×16
×3

question asked: 28 Jul '14, 08:20

question was seen: 1,919 times

last updated: 30 Jul '14, 18:00

p​o​w​e​r​e​d by O​S​Q​A