How to get a reference to an existing heuristic dissector in LUA (in order to wrap RTPS) ?

Question

Hello,

We are trying to create a chained dissector in LUA (as described in Wireshark wiki page) but we are not able to get a reference to existing heuristic dissector ! :( For "normal" (= non-heuristic) dissector, it works fine. In our case, we try to wrap RTPS (Real-Time Publish-Subscribe) protocol.

We looked at source code (in epan/dissectors/packet-rtps.c) and we think we are using expected name. Unfortunately, with Wireshark v2.2.7, we are not able to get UDP heuristic dissector table, nor RTPS dissector. It seems that DissectorTable.get() is only used for "normal" dissector (it triggers an error for heuristic "udp" but not for normal "udp.port"). And Dissector.get("rtps") fails too: no such dissector. But Dissector.get("rtitcp") works fine. We can notice that RTPS is not contained in Dissector.list().

Q1) what are we missing ?

Q2) is it a bug in Wireshark ?

Thanks for your help, Contrib

Answer 1

0

The Wireshark Lua Examples wiki page provides a dissector.lua file written by Hadriel Kaplan that illustrates how to register a heuristic Lua dissector with UDP, namely:

Line 587: dns:register_heuristic("udp",heur_dissect_dns)

answered 07 Jun '17, 07:54

cmaynard ♦♦
9.4k●10●38●142
accept rate: 20%

@cmaynard Thanks, but we already found this example.

You may have been confused by the title (and my "poor" english, sorry ^_^): here, "reference" stands for LUA (runtime) object, not for documentation pointer.

But as described in my previous post, we need to wrap (aka create a "chained dissector" for) an existing protocol (here: RTPS). In order to do so, we need to:

get original dissector (=> rtps)
create a new dissector (=> rtpswrap)
in wrapper body, call original dissector and then add our custom stuff
register this "new" wrapper

Unfortunately, our problem is the first step: based on LUA API, it seems there are 2 ways to get original dissector:

1st way: get a dissector table (thanks to: DissectorTable.get()) then get existing dissector thanks to dtbl:get_dissector()
2nd way: call directly Dissector.get()

It turns out that in our case, with RTPS protocol, both ways return an error ! :(

We checked that in Wireshark GUI menu: View -> Internals -> Dissector Tables, RTPS protocol is contained in UDP's Heuristic Table (and nowhere else). Consequently, following 1st way, we would need to be able to get UDP heuristic dissector table in LUA script, but DissectorTable.get("udp") triggers an error. It seems that this function should only be used for "normal" dissector, one registered to a fix port for example (so not heuristic). We also checked that "udp" is present in DissectorTable.heuristic_list() but it should only be used with Proto:register_heuristic() and so we can not access to original RTPS dissector.

Following 2nd way, we tried to call Dissector.get("rtps") but here again, an error is triggered: no such dissector. We noticed that "rtps" is not present in Dissector.list() and it seems weird.

Then, we looked at source code: wireshark-2.2.7/epan/dissectors/packet-rtps.c#L11544 and we noticed another protocol implemented alongside RTPS: "rtitcp". It turns out that "rtitcp" is present in Dissector.list() and call to Dissector.get("rtitcp") works fine (no error contrary to "rtps").

Consequently, it seems that "rtps" protocol implementation missed something compare to "rtitcp". In order to be able to access to original dissector in LUA, we may need to register it to a fix (dummy) port ? or add a new function in LUA API in order to get a heuristic dissector ?

Or maybe there is a 3rd way to get existing dissector ?

(07 Jun '17, 14:16) Lua Hobbyist

Answer 2

Replying to my own questions: it seems there are limitations in current Wireshark LUA API

no way to get a dissector that has only been registered as "heuristic" (EXAMPLE: RTPS)
no way to replace an existing heuristic dissector in a dissector table by a wrapper implemented in LUA. There is a way to add a heuristic dissector, but what if original dissector is called first ? wrapper will never be called... So we would need to be able to overwrite objects in heuristic dissector table or to change order in this list.

Concerning RTPS, a workaround to first previous limitation is below: (/!\ need to patch source code + recompile)

wireshark-2.2.7_RTPS_registration_for_LUA_access.patch

--- wireshark-2.2.7_OLD/epan/dissectors/packet-rtps.c
+++ wireshark-2.2.7_NEW/epan/dissectors/packet-rtps.c
@@ -11534,10 +11534,15 @@
               &enable_topic_info);
register_init_routine(rtps_init);
rtps_type_name_table = register_dissector_table("rtps.type_name", "RTPS Type Name",
proto_rtps, FT_STRING, BASE_NONE);
+

/* In order to get this dissector in LUA (aka "chained-dissector") */
register_dissector("rtps_udp", dissect_rtps_udp, proto_rtps);
register_dissector("rtps_tcp", dissect_rtps_tcp, proto_rtps);
register_dissector("rtps_rtitcp", dissect_rtps_rtitcp, proto_rtps);
}

void proto_reg_handoff_rtps(void) {
heur_dissector_add("rtitcp", dissect_rtps_rtitcp, "RTPS over RTITCP", "rtps_rtitcp", proto_rtps, HEURISTIC_ENABLE);

Thanks to previous patch, we are able to get access to original RTPS dissector in LUA script thanks to Dissector.get(“rtps_udp”).

There is still the second limitation: this time, a workaround is to use UDP dissector table and register the new wrapper to a specific UDP port.