This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to reassemble custom protocols with Lua?

0
1

I have a custom protocol which combines to make a higher level protocol. It is analogous to HTTP over TCP but it is NOT either of those.

I have implemented a custom dissector for the lower level custom protocol. I used one of the DLT_USER linktypes to register the protocol in my lua plugin. I managed to successfully dissect all of the fields required in this "subprotocol".

Now, I would like to "reassemble" or combine packets of this subprotocol to display the higher level protocol. I am struggling to figure out how to do this. I have found some documentation relating to TCP reassembly, but I am not sure reassembly will work with my custom protocol since it is not TCP and it has its own custom linktype.

I am wondering if a tap is the right solution for me?

asked 30 Jan '17, 08:31

GTOET_half_full's gravatar image

GTOET_half_full
6123
accept rate: 0%

(30 Jan '17, 10:36) GTOET_half_full

One Answer:

0

I would recommend visiting the Wireshark Lua/Examples wiki page and reviewing some of the example Lua files provided there. In particular, fpm.lua, which performs reassembly of packets. It's TCP-based, but hopefully it provides a nice starting point for you. I'm not sure, but I don't think the technique employed is limited to only TCP-based protocols.

answered 30 Jan '17, 08:50

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Thank you for your response. I have delved into that file already and it is hard to tell whether or not the techniques in it can work with non-TCP based protocols. I have tried playing with the pinfo.desegment_len but to no avail so far...

(30 Jan '17, 09:15) GTOET_half_full