This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

translate IP into text with Lua

0

Hello,

I have some format of IPs for my endpoints. For example: 10.0.X.28 is host1, 10.0.X.11 is host2.

I'm writing some LUA dissector to parse my protocol. Part of this dissector, I'd like to change the IPs which are shown, to host1/host2 etc.

How this can be done?

Thank you

asked 20 Jun '16, 01:43

BMWE's gravatar image

BMWE
467811
accept rate: 100%

edited 21 Jun '16, 06:19

sindy's gravatar image

sindy
6.0k4851

Do I get you right that you want to translate each IP address from a fixed list to a text string? Do you also want to use these strings (your hostnames) in the display filter? Lua dissectors can use Lua tables to define a string for each index value which may be almost anything.

(21 Jun '16, 01:41) sindy

Hi,

I have some format for the IP (like in the exsmple). FROM this format Id like ti convert the IP to some name (not necceserly the hostname)

(21 Jun '16, 04:35) BMWE

One Answer:

0

A quote from one of my Lua ad-hoc dissectors:

-- Define Translation Tables for Individual Items
lfb_indictn_values = {}
lfb_indictn_values[0] = "lfbAllowed"
lfb_indictn_values[1] = "lfbNotAllowed"
lfb_indictn_values[2] = "pathReserved"

– Export 'MyProto'
My_proto = Proto("mine","MyProto")
…
My_proto_LFB_Indictn = ProtoField.uint8("my_proto.LFB_Indictn","LFB_Indictn",base.DEC,lfb_indictn_values)
…
My_proto.fields = {…, My_proto_LFB_Indictn, …}

and then, in the dissector function itself:

    local lfb_ind = buffer:range(7,1)
subtree:add(MLPP_LFB_Indictn,lfb_ind)

So you could modify it for your purpose, by changing the ProtoField.uint8 to ProtoField.IPv4 and replacing the reference values of 0, 1, 2 with your IP addresses if ftype.IPv4 allows to use the value -> text translations; otherwise, you would have to treat the IPv4 field as uint32 and convert your IP addresses to the corresponding uint32 values.

endpoint_hostname = {}
endpoint_hostname[10.0.7.28] = "host number 28"
endpoint_hostname[10.0.7.17] = "host number 17"

or, possibly,

…
endpoint_hostname["10.0.7.28"] = "host number 28"
…

answered 21 Jun ‘16, 06:11

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

I’m missing something in your solution: In the main screen, where one can see all the packets, there is source and destination columns, where IP can be seen. I’m looking to replace those IPs.

In addition, I have some constant IPs (which is more simple), but I have also some template for IPs: 10.0.X.28, where X can be any value. How can I change those IPs?

(21 Jun ‘16, 08:54) BMWE

I’ve converted your “Answer” (which it clearly wasn’t as it did not answer your original Question) into a Comment, see site FAQ for details.

From your Question it wasn’t clear to me that you want to change the way how IP addresses are dissected at IP layer, I thought you were talking about IP addresses inside your own protocol.

In general, a dissector only deals with the part of the frame it has been given for processing as a TVB parameter, and it cannot affect how other dissectors handle other parts of the frame. So if you want to change the way how IP addresses are extracted into packet info fields and filterable fields, you would have to replace the IPv4 dissector with your own one. I.e. you would have to register your own dissector for the IPv4 layer, replace pointers to it in Ethertype etc. dissector tables, and make it call icmp, tcp, udp etc. dissectors based on the contents of ip.proto field of the IPv4 header (according to contents of dissector table ip.proto).

As for ignoring the X byte, that would require to do the translation manually, i.e. you would not be able to use the translation embedded into the Lua API (but it would still be possible to use the table, except that you would have to use only the last byte of the IPv4 address as the key).

But there is another way to achieve your goal than using a Lua dissector, you might want to use Wireshark’s name resolution ability to translate the IP addresses to text using the local hosts file, as suggested here.

(21 Jun ‘16, 10:02) sindy