This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is there a way to give dynamic names to protocol attributes?

0

Hi, I am trying to create a custom lua dissector for the Modbus protocol. This protocol can have any number of identically structured attributes depending upon the packet contents. For example: Register 1 :some value Register 2 :some value Register 3 :some value Register 4 :some value and so on. I need to come up with a way to create protocol fields dynamically and give them dynamic names. In case of the above example since I do not know before hand how many registers are going to be present, I need to count the data during run time and accordingly number the registers (eg. Register 1, Register 2 and so on). So I wanted to know if there is any way to achieve this.

Also I wanted to know if there is any way to optimize the Lua dissectors as I am dealing with large chunks of wireshark data and it takes a lot of time to apply a filter due to the dissector. I was wondering is there a way to precompile Lua dissectors so that they are not compiled every time a filter is applied.

Thank you in advance.

asked 05 Aug '16, 12:56

shobhit_garg91's gravatar image

shobhit_garg91
169914
accept rate: 0%

edited 06 Aug '16, 04:03

sindy's gravatar image

sindy
6.0k4851

I'm not posting this as an Answer as I haven't tested my suggestion of a workaround, it is just a rough idea.

Your question, although it is not obvious at first glance, is actually an extension of this one, but apparently @_michel hasn't filed an enhancement request as @Guy Harris suggested back then.

There is currently no way to dynamically assign field names like input_temperature, max_pressure etc. to protocol fields because you have to register all potential field descriptions in advance. Nor there is currently a way to use indexed protocol fields like register[3].

On the other hand, it is possible to register a field type once but hook to the dissection tree several instances of such field. All of them have the same name but their values differ.

So you may register a field type like modbus.registerAVP and let your dissector generate multiple instances of this field per PDU. The values of these fields would be composed of the dynamic name, a separator and the actual value, like input_temperature=100. This would allow you to use display filters like modbus.registerAVP matches "^input_temperature" but not to compare the actual values to constants (or to each other) for anything else than equality or non-equality.

To allow other types of value comparison, like input_temperature >= 50, you would have to register pairs of modbus.registerAVP.N.name, modbus.registerAVP.N.value for N from, say, 1 to 10 (or 100 or maybe 1000), and then use complex display filters like (modbus.registerAVP.1.name = "input_temperature" and modbus.registerAVP.1.value >= 50) or (modbus.registerAVP.2.name = "input_temperature" and modbus.registerAVP.2.value >= 50) or ... So for more than 5 register values per PDU, already this (comparing the value of a field of a known name to a constant) would be a nightmare, and comparing values of two such fields to each other would be nearly impossible due to the exponential growth of the number of necessary filter primitives.

As your Question deals with modbus, you may also be interested in this question, but it seems @Evan hasn't filed an enhancement request either.

So maybe you will file them?

(06 Aug '16, 03:39) sindy

But on the other hand, if you know in advance all the individual names you would use as aliases to the individual registers, you can register all of them and then choose always the appropriate one to hook it to the dissection tree.

(06 Aug '16, 03:52) sindy

Hi Sindy, Thank you for your inputs. I have a question though. In your suggestion you mentioned that the field I create will contain a dynamic name, a separator and an actual value. I am not able to understand how to provide a dynamic name to the field. I am aware that the same field can be added to the dissector tree multiple times, but the name of the field remains the same in this case (the name of the field before the separator ":"). For now I am not keen on using the fields for filtering purposes, I just want to display them as having dynamic names (eg. Register 1: xxx, Register 2: xxx and so on. Here the numbers 1 and 2 are dynamic depending upon the number of register values present.) Please let me know what could be done in this regards.

Thanks, Shobhit Garg.

(15 Aug '16, 07:55) shobhit_garg91

What I had in mind is that a normal protocol field has a pre-declared name and (where required) a value. In the suggested case, the pre-declared name would be static, and the value would contain the dynamic name and the actual value in a single string, inside which the dynamic name part and actual value part would be distinguished by the means of a separator.

Example of the result in the dissection pane:

modbus.registerAVP: input_temperature=100
modbus.registerAVP: max_pressure=20

So here:

  • modbus.registerAVP is the static, "Wireshark", field name,

  • input_temperature=100 and max_pressure=20 are the "Wireshark" values,

  • input_temperature and max_pressure are the dynamic names,

  • = is the separator,

  • 100 and 20 are the actual values.

Or, if we use the second way suggested:

modbus.registerAVP.1.name: input_temperature
modbus.registerAVP.1.value: 100
modbus.registerAVP.2.name: max_pressure
modbus.registerAVP.2.value: 20

  • modbus.registerAVP.1.name, modbus.registerAVP.1.value, modbus.registerAVP.2.name, and modbus.registerAVP.2.value are "Wireshark" names,

  • values of modbus.registerAVP.X.name are the dynamic names,

  • values of modbus.registerAVP.X.value are the actual values.
(15 Aug '16, 08:12) sindy