This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Custom dissector for LLC Payload in Lua

0

Hi,

I'd like to preface this by stating that this is my first time making a dissector in Lua (or really working in Wireshark for that matter) so if anything is unclear I'd be more than happy to clarify. My goal is to make a custom dissector for a protocol on top of SNAP LLC frames. Since the protocol info is currently dissected as "data," it seems that a chained dissector is appropriate. Using https://delog.wordpress.com/2010/09/27/create-a-wireshark-dissector-in-lua/ as a guide, I have created the following:

iiot = Proto("myproto", "My Protocol")

local f_type = ProtoField.new("Type Value", "myproto.type", ftypes.UINT16, nil, base.HEX) local f_data = ProtoField.string("Data", "myproto.data", FT_STRING)

iiot.fields = { f_type, f_data }

function iiot.dissector(buf, pkt, root)

 pkt.cols.protocol:set("IIOT")

 local pktlen_remaining = buf:reported_length_remaining()

 local tree = root:add(iiot, buf:range(0, pktlen_remaining))

 tree:add(f_type, buf:range(0, 2))

 local typeid = buf:range(0, 2)
 pkt.cols.info:set("(".. typeid ..")")

 pktlen_remaining = pktlen_remaining - 2

 tree:add(f_data, buf:range(2, pktlen_remaining))

 local data = buf:range(2, pktlen_remaining)
 pkt.cols.info:set("(".. data ..")")

end

local llc_dissector_table = DissectorTable.get("llc.dsap") dissector = llc_dissector_table:get_dissector(170) llc_dissector_table:add(170, iiot)

I suppose my question is two-fold. At present, my dissector loads and I can filter by “myiiot”. However, I am unable to dissect my packets using the “Decode As…” window. Since my packets are 0xaa SNAP, shouldn’t they automatically be dissected by my script? Is there a way to do this manually assuming the code is correct? Apologies if I am missing something obvious.

alt text

edit: Here is a CloudShark link for the capture https://www.cloudshark.org/captures/fef0e7fd73d3

asked 10 Feb ‘17, 07:12

brownfox's gravatar image

brownfox
21338
accept rate: 0%

edited 21 Feb ‘17, 11:44

Can you share the capture that generated the screenshot in a publicly accessible spot, e.g. CloudShark, Google Drive, DropBox etc. so others can test the script?

(10 Feb ‘17, 07:37) grahamb ♦

did you find a solution? I am currently working on something similar

(05 Apr ‘17, 00:50) nikdubois