I have a custom protocol which combines to make a higher level protocol. It is analogous to HTTP over TCP but it is NOT either of those.
I have implemented a custom dissector for the lower level custom protocol. I used one of the DLT_USER linktypes to register the protocol in my lua plugin. I managed to successfully dissect all of the fields required in this "subprotocol".
Now, I would like to "reassemble" or combine packets of this subprotocol to display the higher level protocol. I am struggling to figure out how to do this. I have found some documentation relating to TCP reassembly, but I am not sure reassembly will work with my custom protocol since it is not TCP and it has its own custom linktype.
I am wondering if a tap is the right solution for me?
asked 30 Jan '17, 08:31
I would recommend visiting the Wireshark Lua/Examples wiki page and reviewing some of the example Lua files provided there. In particular, fpm.lua, which performs reassembly of packets. It's TCP-based, but hopefully it provides a nice starting point for you. I'm not sure, but I don't think the technique employed is limited to only TCP-based protocols.
answered 30 Jan '17, 08:50