This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Display Filter: Data[X] and Data.Len

0

I'd like to use filters to verify data in payload packets. The API in question uses the 5th byte as the length of the overall payload. I would like to create a filter so show me packets where this payload is malformed.

Something like (Data[4] != Data.Len) appears like it would do the job, but I can't get it to work due to type mismatching, etc. I can get (Data[4] == 0x12) && (Data.Len != 0x12) to work, but that only helps me for that specific payload length and I would have to do search for every unique value.

It seems like this should be something easy enough to make work, but I think I'm just missing one little piece.

Thanks.

asked 22 Jun '17, 12:53

Brimmstone's gravatar image

Brimmstone
6112
accept rate: 0%


One Answer:

0

While you could probably achieve this via tshark and some scripting, why not create a dissector for your foo protocol? That way, you could simply add an "Expert Info" warning for when foo.len is not equal to the actual payload length. You can write your dissector in C and compile it into Wireshark (Refer to the Developer's Guide for how to do this), or you could more quickly just write a Lua dissector instead, which doesn't require that you recompile Wireshark. There are many resources available for helping to write a Lua dissector, among them:

In the event you just want to start with Lua, then to help get you started you can have a look at this simple example:

-- Protocol
local p_foo = Proto("foo", "FOO Protocol")
local FOO_PORT = 1234

– Fields local f_foo_field1 = ProtoField.uint32("foo.field1", "Some Field", base.HEX) local f_foo_field2 = ProtoField.uint8("foo.field2", "Some Other Field", base.HEX) local f_foo_len = ProtoField.uint8("foo.len", "Length", base.DEC) local f_foo_len_bad = ProtoField.bool("foo.len_bad", "Length bad", base.NONE, {"True", "False"}, 0x00)

p_foo.fields = { f_foo_field1, f_foo_field2, f_foo_len, f_foo_len_bad }

– Initialize expert fields (See: https://wiki.wireshark.org/LuaAPI/TreeItem) local ef_len_bad = ProtoExpert.new("foo.expert.length_bad", "Bad length", expert.group.PROTOCOL, expert.severity.WARN)

– Register expert fields p_foo.experts = { ef_len_bad }

– Dissection function p_foo.dissector(tvbuf, pinfo, tree) local foo_tree = tree:add(p_foo, tvbuf(0,-1)) local len_item

pinfo.cols.protocol:set("FOO")
foo_tree:add(f_foo_field1, tvbuf(0, 4))
foo_tree:add(f_foo_field2, tvbuf(4, 1))
len_item = foo_tree:add(f_foo_len, tvbuf(5, 1))

local foolen = tvbuf(5, 1):uint()
if foolen == tvbuf:len() then
    len_bad = foo_tree:add(f_foo_len_bad, tvbuf(5, 1), false)
    len_item:append_text(" [correct]")
else
    len_bad = foo_tree:add(f_foo_len_bad, tvbuf(5, 1), true)
    len_item:append_text(" [invalid]")
    len_item:add_tvb_expert_info(ef_len_bad, tvbuf(5, 1))
end
len_bad:set_generated()
-- len_bad:set_hidden()

end

– Registration local udp_table = DissectorTable.get("udp.port") udp_table:add(FOO_PORT, p_foo)

To see if any packets have a bad length field, you can just apply a display filter of foo.len_bad or choose *Analyze -> Expert Information" to see if there are any.

answered 24 Jun ‘17, 12:32

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%