Hello, I'm trying to write wireshark dissector using lua script. I look at the web pages for examples and explanations : https://wiki.wireshark.org/Lua https://wiki.wireshark.org/Lua/Examples However, i still have something that i do not understand. I receive data in EtherNet/IP (Industrial Protocol) using UDP. So i have something like that IP->UDP->EtherNet/IP --> My dissector Until now, i can use my dissector but it always start at the UDP data level. I want it to start and EtherNet/IP data level. Where should i do that ? And How can I do that ?
I have a doubt about three lines that should contains the modification : Maybe i should set root with something but i cannot find which one ? Where can i find information about that ?
Maybe i need to set something different from "udp" here, but where can i find the string for EtherNet/IP protocol ?
Can anyone help me with that ? Thank you very much!
asked 24 Oct '17, 08:47
Hello, Thank you for your answer. In fact, actually, using wireshark without the dissector I wrote, i get the Capture_CIP.jpg image. The ENIP protocol is used with UDP protocol. I want to add a dissector to parse the data part at the end of the ENIP packet. "Data : 7905010000..."
To do that i wrote the following lua script: -- creates a Proto object, but doesn't register it yet local cip_ttt = Proto("myCIP","CIP Sub Protocol")
With this script, i got the Capture_Actual_Dissector.jpg image.
The problem i meet, is that my dissector starts from the UDP Data packet, and not the data from the ENIP packet. I think it is due to this line:
But i do not know how to change it and with which code in order to to what i want. Can you help me understand what’s wrong in my script and what’s the best solution ? Thank you very much.
answered 26 Oct ‘17, 09:25
edited 26 Oct ‘17, 12:08
Can you provide a sample capture file (a single packet should be enough)? As I don't know CIP, I cannot be more specific than below without seeing the packet.
CIP dissector is embedded to Wireshark so the first question is whether either the UDP dissector finds out using heuristic that the UDP payload is a CIP one or whether there is an IANA registered UDP port for CIP, which means that the dissector table
udp.portwould contain a line saying that for this port numberm CIP dissector should be invoked on the payload. If neither is true, you have to add such line to
udp.portdissector table for the port number your equipment is using.
The second point is that you have to tell the CIP dissector itself that it should use your Lua dissector for particular types of its payload. The embedded CIP dissector uses two dissector tables:
cip.data_segment.iface, and if your private payload can be identified using one of the fields used as indice to these tables, you have to register your dissector to one of these tables.
I know you probably wrote this as an answer because of the size.
Can you convert it to a comment, I've tried (after fixing the images for display in a comment) but some OSQA brokeness won't let me?
If you register your dissector with the UDP port then you will override the CIP dissector, hence the output you see.
You will need to hook your dissector into the CIP one via a dissector table, but I'm not sure if there is a suitable table to do so for a connected data item.
Placing my comment here as it would otherwise disappear once you would convert your "Answer" into a comment as @grahamb has asked you to.
I am a bit confused by seeing UDP port 2222 on your pictures and 65533 in your Lua code. As you've guessed yourself and as @grahamb wrote, the Lua line below replaces the original CIP dissector (which handles ENIP as well as the two are close twins) by your
addmethod is actually a
replaceif there already is a record for that index) in UDP dissector's only dissector table (
udp.port) for port 65533, but it should not do so for port 2222.
If you are lucky, replacing the line
(or, possibly, by
could hook your
cip_ddudissector to the right place.
If you are not lucky, you'll have to extend your Lua dissector with a part duplicating the functionality of the embedded CIP/ENIP dissector as it would mean that none of the existing one's hook points (dissection tables) is the right one you need, and you would hook that extended one to the
Hello, Thank you for your help. I will try that. I will also try to change the answer i made yesterday to comment. It's not working just now. Thank you