While you could probably achieve this via tshark
and some scripting, why not create a dissector for your foo protocol? That way, you could simply add an "Expert Info" warning for when foo.len
is not equal to the actual payload length. You can write your dissector in C and compile it into Wireshark (Refer to the Developer's Guide for how to do this), or you could more quickly just write a Lua dissector instead, which doesn't require that you recompile Wireshark. There are many resources available for helping to write a Lua dissector, among them:
In the event you just want to start with Lua, then to help get you started you can have a look at this simple example:
-- Protocol
local p_foo = Proto("foo", "FOO Protocol")
local FOO_PORT = 1234
– Fields
local f_foo_field1 = ProtoField.uint32("foo.field1", "Some Field", base.HEX)
local f_foo_field2 = ProtoField.uint8("foo.field2", "Some Other Field", base.HEX)
local f_foo_len = ProtoField.uint8("foo.len", "Length", base.DEC)
local f_foo_len_bad = ProtoField.bool("foo.len_bad", "Length bad", base.NONE, {"True", "False"}, 0x00)
p_foo.fields = { f_foo_field1, f_foo_field2, f_foo_len, f_foo_len_bad }
– Initialize expert fields (See: https://wiki.wireshark.org/LuaAPI/TreeItem)
local ef_len_bad = ProtoExpert.new("foo.expert.length_bad", "Bad length",
expert.group.PROTOCOL, expert.severity.WARN)
– Register expert fields
p_foo.experts = { ef_len_bad }
– Dissection
function p_foo.dissector(tvbuf, pinfo, tree)
local foo_tree = tree:add(p_foo, tvbuf(0,-1))
local len_item
pinfo.cols.protocol:set("FOO")
foo_tree:add(f_foo_field1, tvbuf(0, 4))
foo_tree:add(f_foo_field2, tvbuf(4, 1))
len_item = foo_tree:add(f_foo_len, tvbuf(5, 1))
local foolen = tvbuf(5, 1):uint()
if foolen == tvbuf:len() then
len_bad = foo_tree:add(f_foo_len_bad, tvbuf(5, 1), false)
len_item:append_text(" [correct]")
else
len_bad = foo_tree:add(f_foo_len_bad, tvbuf(5, 1), true)
len_item:append_text(" [invalid]")
len_item:add_tvb_expert_info(ef_len_bad, tvbuf(5, 1))
end
len_bad:set_generated()
-- len_bad:set_hidden()
end
– Registration
local udp_table = DissectorTable.get("udp.port")
udp_table:add(FOO_PORT, p_foo)
To see if any packets have a bad length field, you can just apply a display filter of foo.len_bad
or choose *Analyze -> Expert Information" to see if there are any.
answered 24 Jun ‘17, 12:32
cmaynard ♦♦
9.4k●10●38●142
accept rate: 20%