Our company has a big investment in Lua dissectors for all of the proprietary protocols our hardware uses, and which we sniff in Wireshark. This makes Wireshark a very useful tool for live analysis and for where a user was recording with Wireshark and saved the capture for later analysis. The same data that we sniff with Wireshark is also logged to binary files in a process not involving Wireshark. My task is to create a process to parse (dissect) the binary log files and output them as JSON, and I would like to leverage our existing Lua dissectors if possible and not rewrite dissectors (in whatever appropriate language), which will be a big effort to create and maintain in parallel with the Lua scripts. But I don't think Lua Wireshark dissectors can run outside of Wireshark, because they have dependencies on all of the Wireshark prototypes like Proto and Protofield, etc. that are injected by Wireshark at runtime.
Here are the possibilities I've thought of. Are any of them feasible?
Somehow I would find Wireshark Lua files with all of the logic that is
injected automatically when the Luas are running in Wireshark.
I would write Lua scripts that would be referenced by our existing
scripts, to overload the logic injected automatically by Wireshark.
In both options 1 and 2, the Wireshark classes would return the
parsed data to my program, which would emit it as JSON.
I would write a converter from our
binary log files to Wireshark .pcapng files and spawn instances
of Wireshark in a batch process, to consume and dissect the .pcapng files with the Lua files and
write the output to JSON or XML file.
Update: In a development potentially in favor of option #3, I can run tshark.exe (command-line utility which comes with Wireshark) to dump packets from a .pcapng file to the standard output. But only the equivalent of the Information column in Wireshark is output, not the dissected pane. If I specify one of our Lua files on the command line with the option:
-X lua_script:[my lua file]
I see the same sorts of errors from tshark that I was seeing when running the Lua scripts directly from Lua:
...dissector.lua:16: bad argument #2 to 'Proto' (Proto_new: there cannot be two protocols with the same description)
Related
I sometimes need to use Wireshark to analyze communication issues with a particular protocol that my application uses. Wireshark already comes with a dissector for the protocol, and displays the communication in the best possible way I can imagine.
But I also need to view the actual communication together with events happening inside my application. The application is capable of generating various logs and traces. The information in them is actually more structured, but for the simplicity, let's say it is just a sequence of entries where each entry has a timestamp and a textual message.
Currently, I have to place the Wireshark and the logs alongside on the screen, and painfully correlate the timestamps in order to figure out how they belong together. In order to make my analysis much easier, I would like to view the information from my logs merged together with the communication protocol messages in Wireshark, properly sorted by their timestamps.
I found that Wireshark has a Merge capability, so this is where I am directing my investigation. I think that with some effort, I might be able to do the following:
1) Design my own "protocol", and generate PCAPNG file from my application, with the event timestamps and messages, and
2) Developer a Wireshark dissector for the above, so that I can view the events in Wireshark.
The first part of my question is whether my approach is the right one.
But I also wonder whether I cannot achieve what I want in some simpler way. Ideally, I would like to reuse something that already exists, and specifically, avoid developing a specialized dissector. Isn't there a protocol with identical features (just timestamps and textual messages), with a dissector that Wireshark already has, that I can use?
Maybe you could make use of syslog along with syslogd or rsyslogd?
One way to inject arbitrary messages into trace files without even having a syslog server is to make use of nc (netcat). For example:
echo -n "Hello World" | nc -w 0 -u 1.1.1.1 514
Wireshark will also dissect this message as syslog traffic. This can be useful when trying to insert "markers" into capture files near where an event of interest occurs.
In any case, making use of syslog facilities would save you from having to write your protocol.
I am currently trying to read some PCAP files using WinPCAP-API.
With this example I managed to read the data, timestamp and length. But I do not get how to read the source and destination IP-adresses and ports?
But I do not get how to read the source and destination IP-adresses and ports?
By dissecting the raw packet data that WinPcap gives you; libpcap/WinPcap provide no APIs for dissecting raw packet data (because different libpcap/WinPcap applications have different needs - an intrusion detection application such as Snort and a packet analyzer such as tcpdump or Wireshark do different things with the data).
See, for example, libtins as a C++ library for doing packet dissection, or the libpcap tutorial for an example of how to do the dissecting yourself.
I am working with a "real time" data analysis toolchain which is separated into two parts. The first part fetches the data to be analyzed, packs it into a UDP packet and sends it to another host. The second part, running on the aforementioned host, receives the UDP packets and performs analysis on the received packets. By "real time" I mean that the output of the analysis toolchain should appear live to a human user, thus latencies of up to 100 ms are acceptable.
I am looking into making a new data source available to the receiving part. The data that I am looking for are being transferred on an Ethercat bus, which I can sniff. Wireshark/tshark have a dissector for Ethercat packets. With that said, it's really simple to get at the data in a script running within Wireshark/tshark. Since I have little control over the second part of the analysis, I cannot readily modify the second part to sniff Ethercat frames via pcap or somesuch.
Is it possible to send UDP packets from a script running in Wireshark/tshark?
Wireshark's Lua doesn't have a way to do that available out-of-the-box, but it's stock Lua so you can write a wireshark Lua script which itself can import (i.e., use require) any other Lua script or compiled Lua dll/so library. So, for example, you could use the LuaSocket library to send packets from within your wireshark Lua script.
Note that there is no event loop available to Wireshark Lua scripts, so receiving packets via LuaSocket isn't going to work, afaik. But since you're talking about sending over UDP, and sending only when the Wireshark Lua script will get invoked (i.e., because you'd do the send() call inside a tap or dissector), I think it should work. If it does/doesn't please post back, because this question comes up now and then and it would be good to know.
I have an arduino galileo board, which I'm running using Intel's image on a micro-sd card.
I already manage to run basic Lua scripts on it.
I want to run a Lua script on the board (Intel's image) and interact with the arduino interface - for example be able to turn on a led or read sensor data. This is very simple to do when using sketch directly, where you have straight forward API to turn on specific pin that is connected to a led. Same goes for reading input from a pin (check if sensor is sending data).
Is there a Lua library that has such access to the pins? or should I somehow connect the Lua script to the Arduino API?
The script will already run on the board.
Thanks.
what you want to do is similar to the Firmdata; it is a processing and arduino sketch that will use arduino as a mere "executor" of a pseudo language over serial.
That means many arduino command are mapped to a specific serial command, for example 'aX' may means do a digitalRead, where X is the pin number, 'bX' do an analogRead and so, obviusly arduino will then send back the reading to your host.
Drawback are that you are limited by serial (or any other bus) throughput. That means, if you want to just fast-prototipe something, it it a good solution, but when you need to code time-sensistive (or specialized) code, then you need to create your own function, called by your own command, witch probabily as a custom response.. pratically you are writing a custom program, and the ardiuno (and LUA) sketch become a mere string parser.
On galileo, the arduino is connected by serial port, as it is needed for sketch upload, so as long as LUA give you some library to manipulate serial port, you are good to go for this solution.
I want to parse packets captured by wireshark offline using libpcap. I am capturing packets from a wireless network in monitor mode. I have read that "libpcap" can be used to capture and parse packets captured in the ethernet. Can it be used for wireless networks too? If yes, can anyone suggest me some tutorial? and if No, which library is suitable for it and how to use it?
libpcap, and its Windows port, WinPcap can be used to capture network traffic (in fact, they're what Wireshark uses to capture network traffic), as well as to read a capture file in pcap format (the default format for Wireshark's existing releases) and, in libpcap 1.1 and later, to read some capture files in pcap-ng format (the default format for the current development version of Wireshark; it should write out files that libpcap 1.1 and later can read).
They can handle a number of network types, including Ethernet and Wi-Fi.
They do not, however, support parsing any packet types; that's the job of the code that uses them, whether it's tcpdump/WinDump, Wireshark, or some other application. There's a library called WiFiPcap that is:
A C++ wrapper around libpcap that parses 802.11 frames, and the most common layer 3 (IPv4, IPv6, ARP) and layer 4 protocols (TCP, UDP, ICMP) contained within them. Also works without link-layer headers. Works in Linux and Windows.
(copied from its web page, but edited to fix the protocol layer numbers to match the OSI model).
I have not looked at it, but it might do what you want.
There might also be other libraries that could be used to parse the packets.