I would like to make a dissector in LUA for a protocol thats based on the IEEE 802.15.4 protocol. Its closely enough related that I've been modifying the 802154 dissector in the source code but there are some other things I'd like to do in a LUA script. In the LUA script I need to specify the UDP port number for the protocol I'm interested in. How do I go about figuring out what UDP port number the IEEE 802.15.4 protocol has as I'd like my lua script to work for that port. Thanks asked 29 Jun '17, 12:17 jjamison showing 5 of 7 show 2 more comments |
I'm not sure I understand what exactly you want to achieve. The Lua dissector is invoked by the dissector of a lower layer ("transport") protocol in order to dissect its "payload".
So you can tell the UDP dissector to invoke your Lua dissector for packets whose source or destination port is a given one, but the Lua dissector itself doesn't need to know the port number at all, it just gets the UDP payload for handling.
However, if you want the Lua dissector get always invoked but actually do something only if the UDP port is a given one, you can access the already dissected data about the following way (I don't remember it exactly and it is a bit tricky):
udp_port_extractor = Field.new("udp.port")
local udp_port = udp_port_extractor()
Thanks for the quick reply, ok that makes sense. I was just asking for the port number because the lua dissector examples I've seen has a line that says something along the lines of:
udp_table = DissectorTable.get("udp.port") udp_table:add(XXX, foo_proto)
How do you go about calling a lua dissector from source dissector?
Exactly that way. The Lua script is started once at Wireshark startup and it registers the protocol it can handle (SomeProto), the fields of that protocol, and provides the actual dissection function (SomeProto.dissector() ). And it also may register SomeProto (or SomeProto.dissector, it makes no difference) to so-called "dissector table(s)" of its transport protocol(s) dissectors which these dissectors consult when choosing a dissector for their payload. So in your example, the UDP dissector has a table which maps port numbers to payload protocols (or dissectors handling these protocols).
It may register because it is not mandatory, you can also use
Decode as...
to fill the dissector tables.If the UDP port is allocated dynamically, the above method isn't of much use. In this case, you may use the "heuristic dissector" approach, which consists in registering your dissector as a heuristic one for a given transport and writing it in such a way that it either returns 0 if it doesn't "like" the data offered or performs the dissection and returns the whole length of the dissection buffer if it can do that. This way, the transport dissector doesn't care about port numbers but tries the heuristic dissectors one after another until the first one succeeds.
How do you use Decode as..., is that used in Lua to add it to the proper dissector table automatically? I can't find any documentation on it online.
Also, Im actually not using the UDP dissector, I'm dissecting IEEE 802.15.4 traffic, I just misunderstood earlier and thought you had to define a UDP port for all lua dissectors regardless of their type.
Thanks again for your help
udp_table = DissectorTable.get("udp.port") udp_table:add(XXX, foo_proto)
in Lua code is equivalent to choosing an UDP packet with source or destination port XXX in the packet list on GUI and using right-click - Decode as... to choose a payload protocol (or, in another words, its dissector) for port XXX.The original IEEE 802.15.4 dissector has a single dissector table named
wpan.panid
so you may tell it to use your Lua dissector for particularpanid
values the way described above.But maybe I still do not understand what you want to do. I don't know any method of letting Lua code cooperate with C code directly. Lua dissectors can invoke dissectors written in C and vice versa, but having part of the code of a given dissector in C and another part of code of that same dissector in Lua is not possible AFAIK.
Basically what I'm tyring to do is have a dissector in wireshark that parses through our packets and displays source/desitnation address, panID, sequence number etc and then calls a dissector written in lua that parses the payload. The reason we don't want to write everything in wireshark is because we want to be able to easily edit the payload dissection without having to rebuild the wireshark sources each time. The first part is already done and working, now working on the paylaod dissection in lua.
OK, if you can clearly identify part of the protocol data as "payload", you can register your Lua dissector as a dissector for a new distinct "protocol" representing just that payload, and let the modified 802.15.4 invoke it that way. There is a function in C which allows you to fetch a registered dissector and invoke it, but I cannot give you its exact name and parameters as I only write Lua dissectors.
So you would register your Lua dissector as
SomeProtoPayload = Proto("my_payload","My 802.15.4 payload")
and provide the dissector function itself:
function SomeProtoPayload.dissector(buffer,pinfo,tree) ... end
In the initialisation part of the C dissector, you would use an equivalent of the following Lua code:
payload_dissector = Dissector.get("my_payload")
And in the dissector function, you would use an equivalent of
payload_dissector(buffer,pinfo,tree)
Some checks (e.g. that fetching the dissector was successful) would be wise.
The best part of it is that the field names as used in display filters etc. have no relationship to the protocol name, so you can let both the C dissector and the Lua dissector create fields whose names start with the same string (like
my_proto.field_x
,my_proto.field_y
) so for the user there will be no difference between fields contributed by C and fields contributed by Lua.