This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to dissect MAC protocol with additional upper layer protocols

0
1

I have a simple MAC layer protocol that wraps IPv6. I have captured some frames (text) and converted them using text2pcap.exe and the user defined link layer option DLT_USER0.

Next, I followed directions here and added my 'SimpleMAC' protocol as follows: edit_preferences

Opening the pcap file in Wireshark, I can see that it recognizes my MAC protocol and successfully dissects the IPv6 packet: ipv6_dissected

However, I want to add a Lua dissector to view the MAC details. Setting my Lua dissector to the correct wtap_encap dissector table entry, I can now see my 'SimpleMAC' protocol dissected, but I can no longer see the details for the IPv6 packet:
simplemac_dissected

How can I do this so I can see both?

Here is the code for my Lua dissector:

oProtoSimpleMac = Proto("simplemac", "Simple MAC")
function oProtoSimpleMac.dissector(oTvbData, oPinfo, oTreeItemRoot)
    if oTvbData:len() < 33 then
        return
    end
--Get SimpleMAC details
local dStartByte  = oTvbData(0, 1)
local uiVersion    = oTvbData(1, 1):uint()
local uiLnkQuality = oTvbData(2, 1):uint()
local uiSeqNum     = oTvbData(3, 2):uint()
local dFlags       = oTvbData(5, 4)
local uiTimeSecs   = oTvbData(9, 4):uint()
local uiTimeMSecs  = oTvbData(13,4):uint()
local dSrcMacAddr  = oTvbData(17,8)
local dDestMacAddr = oTvbData(25,8)

--Update Protocol and Info columns
oPinfo.cols.protocol = &#39;SimpleMAC&#39;
oPinfo.cols.info = &#39;Simple MAC&#39;

--Add tree and sub-tree data for expanding the packet info
local oSubtree = oTreeItemRoot:add(oProtoSimpleMac, oTvbData(), &#39;Simple MAC Protocol Data&#39;)
oSubtree:add(oTvbData(0,1), &#39;StartByte : 0x&#39; .. dStartByte)
oSubtree:add(oTvbData(1,1), string.format(&#39;Version   : %d&#39;, uiVersion))
oSubtree:add(oTvbData(2,1), string.format(&#39;Link Quality: %d&#39;, uiLnkQuality))
oSubtree:add(oTvbData(3,2), string.format(&#39;Sequence Number: %d&#39;, uiSeqNum))
oSubtree:add(oTvbData(5,4), &#39;Flags: 0x&#39; .. dFlags)
oSubtree:add(oTvbData(9,8), &#39;Time:&#39;)
oSubtree:add(oTvbData(25,8), &#39;Source MAC Addr      : &#39; .. dSrcMacAddr)
oSubtree:add(oTvbData(17,8), &#39;Destination MAC Addr : &#39; .. dDestMacAddr)

end

local wtap_encap_table = DissectorTable.get("wtap_encap") wtap_encap_table:add(45, oProtoSimpleMac)

asked 21 Nov ‘14, 10:42

littleman's gravatar image

littleman
11124
accept rate: 0%

edited 21 Nov ‘14, 10:43

Interestingly, I’ve found that when I modify the Lua dissector to add the Simple MAC protocol back to the wrong value ( wtap_encap_table:add(46,oProtoSimpleMac) ), Wireshark dissects both the Simple MAC and the IPv6 packet.

The problem now is, if the frame contains only MAC information (no, payload with IPv6), I get a Malformed packet error and ‘IPv6’ appears in the Protocol Column: malformed_pkt

How do I make it stop at the Simple MAC layer if there is no additional data?

(24 Nov ‘14, 10:09) littleman


One Answer:

2

When you use a Lua script to create a new protocol and dissect a packet as it, Wireshark has no idea what other protocol(s) might be after your new protocol in the packet. So when you did this:

wtap_encap_table:add(45, oProtoSimpleMac)

You told Wireshark to use your Lua-based oProtoSimpleMac dissector for any packets of link-layer encapsulation number 45 (i.e., USER0). So wireshark calls your oProtoSimpleMac.dissector() function when it sees a packet of encapsulation 45.

When you instead add a user DLT entry to the DLT table in the preferences, as you did at the beginning, you told wireshark not only what your encapsulation info is for USER0, but also that the payload's protocol after it is IPv6. So when wireshark does it that way, it worked.

So to do the same thing in Lua, at the end of your oProtoSimpleMac.dissector() function you need to call the appropriate dissector, namely the IPv6 one - or not call it if there is no IPv6 payload.

To call a built-in dissector, first you need to get it using Dissector.get("ipv6"), and then you need to call() the retrieved dissector.

So like this:


local oProtoSimpleMac = Proto("simplemac", "Simple MAC")
local oIPv6Dissector = Dissector.get("ipv6")

function oProtoSimpleMac.dissector(oTvbData, oPinfo, oTreeItemRoot) – do stuff here

if my_packet_has_ipv6 then
    -- invoke the ipv6 dissector, giving it a Tvb starting at offset 33 to the end
    oIPv6Dissector:call(oTvbData(33):tvb(), oPinfo, oTreeItemRoot)
end

end

local wtap_encap_table = DissectorTable.get("wtap_encap") wtap_encap_table:add(45, oProtoSimpleMac)

answered 23 Dec ‘14, 23:32

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Thanks, that worked like a charm!

(29 Dec ‘14, 08:33) littleman