This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Lua: create an modified TVB before chaining dissector

0

Hi,

I want to dissect an Wifi packet trace that seems to use the PTP/USB packet format instead of the PTP/IP one. Except two butter offsets and one changed field the packets are identical. The easiest solution would be to create an modified copy of the tvb and pass it to the original ptp/ip dissector. Is that possible? How?

Thanks, Thomas

asked 20 Sep '15, 01:24

Thomas%20E's gravatar image

Thomas E
36459
accept rate: 0%


One Answer:

0

If this one is still interesting... I'm afraid there will be some collateral damages because you cannot augment (or replace) the packet data with forged ones just like that. In another words, the tvb type exists on a purpose, e.g. when you treeitem:add a protocol field as a tvb:range[:typedef], clicking on that field in the packet dissection pane causes its corresponding bytes to be highlighted in the packet bytes pane, and vice versa. In fact, what you actually do in this case is that you add to the tree a reference to that tvb range and tell Wireshark how to translate its contents into human-readable form.

So you can extract the part of the message which is identical for both formats from the buffer into a byte array, concatenate it with a byte array representing the forged header, and use bytearray:tvb function to create a new tvb from it and call the existing dissector, giving it your new tvb as a target. While I'm sure the packet bytes pane highlight functionality will not work in this case (because no mapping between the position of a given byte in the "real" and "forged" tvb will survive such double-conversion), I have no idea what else may go wrong.

Another chance could be to do that operation offline, outside Wireshark, by using other software to patch the capture file that way.

answered 15 May '16, 05:06

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%