Wireshark lua scripting to dissect CoAP option - lua

I'm writing lua script to dissect coap protocol. However I cannnot get coap options(URI-Path) of 2nd or later if there are several same options.
do
local test_proto = Proto("test_proto", "Test Protocol")
local test_uripath = ProtoField.string("test.uripath", "Uri-Path")
test_proto.fields = {test_uripath}
local coap_uripath = Field.new("coap.opt.uri_path")
function test_proto.dissector(tvbuffer, pinfo, treeitem)
local subtree = treeitem:add(test_proto)
subtree:add(test_uripath, tostring(coap_uripath().value))
end
register_postdissector(test_proto)
end
Only first URI-Path is displayed at subtree even if coap URI-Path option has several values like the following.
Opt Name: #1: URI-Path: XXX
Opt Name: #2: URI-Path: YYY
I can only get XXX by using coap.opt.uri_path. How can I get 2nd or later same option fields?

If you're interested in all fields and not just the first one, then you'll need to process the entire table. For example:
do
local test_proto = Proto("test_proto", "Test Protocol")
local test_uripath = ProtoField.string("test.uripath", "Uri-Path")
test_proto.fields = {test_uripath}
local coap_uripath = Field.new("coap.opt.uri_path")
function test_proto.dissector(tvbuffer, pinfo, treeitem)
local subtree = treeitem:add(test_proto)
local coap_uripath_table = { coap_uripath() }
for i,uripath in ipairs(coap_uripath_table) do
subtree:add(test_uripath, tostring(uripath.value))
end
end
register_postdissector(test_proto)
end
See also:
https://osqa-ask.wireshark.org/questions/35682/lua-accessing-multiple-smb2msg_id-values
https://osqa-ask.wireshark.org/questions/1579/fetching-multiple-named-values-with-lua

Related

How to access TLS Version/ Checksum of packet in Wireshark Lua dissector?

I am new to Wireshark and its Lua API. I need to write a dissector that can capture packets on port 443, modify some of the contents and then send them over to the destination. I found a script here which I have modified according to my needs:
-- create myproto protocol and its fields
p_myproto = Proto ("myproto","My Protocol")
local f_command = ProtoField.uint16("myproto.command", "Command", base.HEX)
local f_data = ProtoField.string("myproto.data", "Data", FT_STRING)
p_myproto.fields = {f_command}
-- myproto dissector function
function p_myproto.dissector (buf, pkt, root)
print ('packet captured')
-- validate packet length is adequate, otherwise quit
if buf:len() == 0 then return end
pkt.cols.protocol = p_myproto.name
local colss = pkt.cols
--pkt.cols.info:append(" " .. tostring(pkt.dst).." -> "..tostring(pkt.src))
print ("" .. tostring(pkt.dst))
print ("" .. tostring(pkt.src_port))
print ("" .. tostring(pkt.dst_port))
end
-- Initialization routine
function p_myproto.init()
end
-- register a chained dissector for port 8002
local tcp_dissector_table = DissectorTable.get("tcp.port")
dissector = tcp_dissector_table:get_dissector(443)
-- you can call dissector from function p_myproto.dissector above
-- so that the previous dissector gets called
tcp_dissector_table:add(443, p_myproto)
I can access fields like dst, src, dst_port etc. The entire list is available here. But I cannot find any reference anywhere as to how I can access/modify the checksum of the packet, the selected cipher suites etc. I know they exist on the transport layer but I could not find any documentation that will allow me to access/modify these values.
What am I doing wrong? Any help in this regard will be appreciated!
Thanks!
You can access any field using a Field Extractor, and the entire list is not available on the LuaAPI/Pinfo wiki page as you referenced, but on the Wireshark Display Filter Reference page.
For example, if you want the TCP checksum, you can use:
fe_tcp_checksum = Field.new("tcp.checksum")
...
function p_myproto.dissector (buf, pkt, root)
...
f_tcp_checksum = fe_tcp_checksum().value
...
end
The Wireshark wiki provides more Lua/Examples.

How to get wireshark heuristic dissector work?

I'm writting a lua script as wireshark(1.12.4) plugin to dissect my private protocols,I can get it work as normal dissector,which binding a certain port(such as 80) to DissectorTable "tcp.port".The pseudo-code as follows:
local my_pro = Proto("MyPro","My Protocol")
local my_pro_field_1 = ProtoField.uint16("MyPro.filed_1","Field 1",base.HEX)
local my_pro_field_2 = ProtoField.uint16("MyPro.filed_2","Field 2",base.HEX)
my_pro.fields = {my_pro_field_1,my_pro_field_2}
local data_dis = Dissector.get("data")
function my_pro.dissector(buf,pkt,root)
if (buf(0,2):uint() ~= 1 or buf(2,2):uint() ~= 1) then
data_dis:call(buf,pkt,root)
return false
end
pkt.cols.protocol = "My Protocol"
local tree = root:add(my_pro,buf(0,buf:len()))
tree:add_le(my_pro_field_1,buf(0,2))
tree:add_le(my_pro_field_2,buf(2,2))
return true
end
local tcp_encap_table = DissectorTable.get("tcp.port")
tcp_encap_table:add(80,my_pro)
The problem is:
What if My protocol is not running on a certain port,as I don't want to modify the port above every time,I actually want the dissector to be wise enough to dynamically identify some kind of pattern and do the right dissecting then.
I've searched out there's a so called "heuristic" dissector,I add codes below to test but I could't get it work.
local function my_heur_dissector(buf,pkt,root)
local ret = my_pro.dissector(buf,pkt,root)
if (not ret) then
return false
end
pkt.conversation = my_pro
return true
end
my_pro:register_heuristic("tcp",my_heur_dissector)
When I change the port,the packets're not parsed as my protocol,so I have to use "Decode as" menu.
So,how can I get the heuristic dissector work base on my code?Have I missed something?
BTW,the answer with code is appreciated.
Sadly, if you need a heuristic dissector (HD) it cannot be done in a plugin manner, and you need to write a new HD.
https://github.com/wireshark/wireshark/blob/master/doc/README.heuristic
(Yes, it has been over 2 years, but if some future-googler finds it...)

How can I get a wireshark Lua dissector protocol preferences to save and persist when I close wireshark?

So I have written what I can only refer to as an Awesome dissector. It doesn't do much, yet it boosts my work efficiency greatly.
My only problem is that I exposed a few preferences, and they won't stick through wireshark close/start.
I.E. :
Prerequisite : Lua script must be in plugins dir...
Open wireshark, Edit > Preferences > Protocol > http.queryparameters...
Set Param1 Value to "aaa", click OK. (It will affect dissection properly.)
Close wireshark, Start again, the value is again something else.
My dissector :
-- Written by Eitam Doodai
-- trivial postdissector example
-- declare some Fields to be read
full_uri_from_request = Field.new("http.request.full_uri")
-- declare our (pseudo) protocol
http_query_params_proto = Proto("http.query_parameters","HTTP Query Parameters Postdissector")
-- create the fields for our "protocol"
query_param1 = ProtoField.string("http.query_parameters.param1","PARAM1")
query_param2 = ProtoField.string("http.query_parameters.param2","PARAM2")
query_param3 = ProtoField.string("http.query_parameters.param3","PARAM3")
-- add the field to the protocol
http_query_params_proto.fields = {query_param1}
http_query_params_proto.fields = {query_param2}
http_query_params_proto.fields = {query_param3}
-- Add prefs
local p1 = http_query_params_proto.prefs
p1.value1 = Pref.string ("Param1 Value", "123", "Param key to extract")
p1.value2 = Pref.string ("Param2 Value", "456", "Param key to extract")
p1.value3 = Pref.string ("Param3 Value", "789", "Param key to extract")
-- create a function to "postdissect" each frame
function http_query_params_proto.dissector(buffer,pinfo,tree)
-- obtain the current values the protocol fields
local full_uri_value = full_uri_from_request()
if full_uri_value then
local value = tostring(full_uri_value)
local subtree = tree:add(http_query_params_proto,"Query Param1")
local subtree = tree:add(http_query_params_proto,"Query Param2")
local subtree = tree:add(http_query_params_proto,"Query Param3")
_, _, query_param1_str = string.find(value,p1.value1 .. "=([^&]+)")
_, _, query_param2_str = string.find(value,p1.value2 .. "=([^&]+)")
_, _, query_param3_str = string.find(value,p1.value3 .. "=([^&]+)")
if query_param1_str then
subtree:add(query_param1,query_param1_str)
end
if query_param2_str then
subtree:add(query_param2,query_param2_str)
end
if query_param3_str then
subtree:add(query_param3,query_param3_str)
end
end
end
-- register our protocol as a postdissector
register_postdissector(http_query_params_proto)
If you have a console open and start wireshark from the command line, after you change one of your http.query_parameters.param settings, save it and close wireshark, and restart it, you'll see something like:
...preferences line 1829: No such preference "http.query_parameters.value2" (applying your preferences once should remove this warning)
And that's a problem: wireshark prints that out for preferences it finds in the saved preference file that it doesn't understand/know-about.
Edit: do NOT open a bug about this. The problem is you used a Protocol name that already exists with preferences: "http". In other words, since you're basically naming the preferences http.query..., wireshark thinks it should belong to the http protocol module, but the real http module doesn't know anything about it, so wireshark prints that error the next time it tries reading from the preferences file.
Long story short: change the name of your Proto and fields and so on, to not collide with a real protocol name.

Wireshark Dissector in Lua

First of all, I'm new to Lua altogether, and this is my first attempt at writing a wireshark dissector.
My protocol is straightforward - a 2 byte length field, followed by a string of that length.
When I run the code through the Lua console, everything works as expected.
When the code is added to the Wireshark plugins directory, I get the error
Lua Error: [string "C:\Users...\AppData\Roaming\Wireshark..."]:15: calling 'add' on bad self (number expected, got string)
Line 15 corresponds is the t:add(f_text... line.
Can anyone explain the discrepancy between the execution methods?
do
local p_multi = Proto("aggregator","Aggregator");
local f_len = ProtoField.int16("aggregator.length","Length",base.DEC)
local f_text = ProtoField.string("aggregator.text","Text")
p_multi.fields = { f_len, f_text }
local data_dis = Dissector.get("data")
function p_multi.dissector(buf,pkt,root)
pkt.cols.protocol = "Aggregator"
local len = buf(0,2):int()
local t = root:add(p_multi,buf(0,len+2))
t:add(f_len,buf(0,2),"Length: " .. buf(0,2):int())
t:add(f_text,buf(2,len),"Text: " .. buf(2,len):string())
end
local tcp_encap_table = DissectorTable.get("tcp.port")
tcp_encap_table:add(4321,p_multi)
end
Your dissector code is very close to correct, but you're doing extra work that the interface won't accept. If you change your dissector function like so,
function p_multi.dissector(buf,pkt,root)
pkt.cols.protocol = "Aggregator"
local len = buf(0,2):int()
local t = root:add(p_multi,buf(0,len+2))
t:add(f_len,buf(0,2)) --let Wireshark do the hard work
t:add(f_text,buf(2,len)) --you've already defined their labels etc.
end
you'll get the desired behavior. The labels "Text" and "Length" are already defined for your fields, so there is no need to provide them again on lines 15 and 16.

Wireshark Lua Dissector - How to set source and destination

I'm working on a Wireshark Dissector in Lua.
I try to provide wireshark as much information about my custom protocol as possible to make use of the available analysis tools. Therefore I'm trying to set the correct source and destination address for my protocol.
My protocol can be on top of different other protocols such as UDP or IEEE 802.15.4. So it might even be that the package source/destination is already set (UDP).
However I want wireshark to show my addresses, so I tried the following:
myproto = Proto("myproto"), "My Protocol")
myproto_source = ProtoField.uint16("myproto.src", "Source Address", base.HEX)
myproto.fields = { myproto_source }
function myproto.dissector(buffer, pinfo, tree)
local subtree = tree:add(myproto, buffer(), "My Proto")
subtree:add(myproto_source, buffer(0,2)
-- does not work with error:
-- bad argument #1 to '?' (Address expected, got userdata)
pinfo.src = myproto_source
-- does work, but only adds text, wireshark tools rely on pinfo.src
pinfo.cols.src = tostring(buffer(0,2):uint())
end
udp_table = DissectorTable.get("udp.port")
udp_table:add( 12345, myproto )
wtap_encap_table = DissectorTable.get("wtap_encap")
wtap_encap_table:add(wtap["IEEE802_15_4"], myproto)
So is there maybe a datatype/class "address" that is necessary to set pinfo.src? Or is there a totally different way to set the packet information?
Thanks in advance!
pinfo.src takes an Address object (which is an IP address; not a 16-bit integer). Example usage:
pinfo.src = Address.ip('1.2.3.4')
Note that this only sets the text of the "Source" column shown in Wireshark. The underlying packet info cannot be modified, and the IP packet details will continue to show the actual IP address.
Just a suggestion - I'm not an LUA wiz:
pinfo:col.src = buffer(0,2):uint()
maybe??

Resources