This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to register a Lua dissector to decode a custom raw sockets protocol ?

0

Hi.

Since several days, I've tried (unsuccessfully) to create my own dissector written with the Lua langage in order to decode throw Wireshark the frames created with a custom raw sockets protocol.

My frames have a classic Ethernet structure:

  • MAC destination address
  • MAC source address
  • MAC length payload (ethertype)
  • Payload
  • Eventual padding

Without custom dissector, Wireshark uses LLC protocol to decode the frames.

Therefore, to have a specific decoding, I've tried to write a Lua dissector. I precise that I'm beginner with Lua langage working.

Anyway. After several tests, I can more or less decode my frame by registering my dissector as follows: local wtap_encap_table = DissectorTable.get("wtap_encap") wtap_encap_table:add(1, MyProto)

However, Wireshark use my dissector to decode all the frames which pass over my Ethernet link and leaves Source column and Destination column empty.

So, I'd like to know how to make Wireshark decode only my frames with my custom dissector.

To complete my question, follows my Lua script:

-- MyProto Dissector
local MyProto = Proto("MyProto", "MyProto")

– MyProto Dissector fields –local f = MyProto.fields

–f.MAC_addr_dest = ProtoField.STRING("MyProto.MAC_addr_dest", "MAC_addr_dest", base.NONE, MAC_addr_dest) –f.MAC_addr_src = ProtoField.STRING("MyProto.MAC_addr_src", "MAC_addr_src", base.NONE, MAC_addr_src)

function MyProto.dissector(buffer, pinfo, tree) if buffer:len() < 18 then return end

-- Parameters function
local MAC_addr_dst0 = buffer(0, 1):uint()
local MAC_addr_dst1 = buffer(1, 1):uint()
local MAC_addr_dst2 = buffer(2, 1):uint()
local MAC_addr_dst3 = buffer(3, 1):uint()
local MAC_addr_dst4 = buffer(4, 1):uint()
local MAC_addr_dst5 = buffer(5, 1):uint()
local MAC_addr_src0 = buffer(6, 1):uint()
local MAC_addr_src1 = buffer(7, 1):uint()
local MAC_addr_src2 = buffer(8, 1):uint()
local MAC_addr_src3 = buffer(9, 1):uint()
local MAC_addr_src4 = buffer(10, 1):uint()
local MAC_addr_src5 = buffer(11, 1):uint()
local MAC_length = buffer(12, 2):uint()
local Msg_LA = buffer(14, 2):uint()
local Msg_length = buffer(16, 2):uint()

-- Test for a specific message to see how it works !! 
if (Msg_LA == 0x0000 and  Msg_length == 0x08) then
    -- Update &quot;Protocol&quot; and &quot;Info&quot; columns
    pinfo.cols.protocol = &#39;MyProto&#39;
    pinfo.cols.info = &quot;MSG : MON_HELLO_CNN&quot; .. &quot;, &quot; .. string.format(&#39;LA: %0.4x&#39;, Msg_LA) .. &quot;, &quot; .. string.format(&#39;Length: %0.2x&#39;, Msg_length)

    -- Add tree and sub-tree data for expanding the packet info
    local tree1 = tree:add(MyProto, buffer(), &#39;MyProto Protocol Data&#39;)
    tree1:add(buffer(0, 6), string.format(&#39;Destination MAC Addr: %0.2x:%0.2x:%0.2x:%0.2x:%0.2x:%0.2x&#39;, MAC_addr_dst0, MAC_addr_dst1, MAC_addr_dst2, MAC_addr_dst3, MAC_addr_dst4, MAC_addr_dst5))
    tree1:add(buffer(6, 6), string.format(&#39;Source MAC Addr: %0.2x:%0.2x:%0.2x:%0.2x:%0.2x:%0.2x&#39;, MAC_addr_src0, MAC_addr_src1, MAC_addr_src2, MAC_addr_src3, MAC_addr_src4, MAC_addr_src5))
    tree1:add(buffer(12, 2), string.format(&#39;MAC Length: 0x%0.4x&#39;, MAC_length))
    tree1:add(buffer(14, 2), string.format(&#39;MSG LA: %0.4x&#39;, Msg_LA))
    tree1:add(buffer(16, 2), string.format(&#39;MSG Length: 0x%0.4x&#39;, Msg_length))
end

end

local wtap_encap_table = DissectorTable.get("wtap_encap") wtap_encap_table:add(1, MyProto)

asked 21 Apr ‘15, 07:35

Saj_B's gravatar image

Saj_B
6112
accept rate: 0%