need help to write a small dissector

asked 2024-02-28 18:48:23 +0000

Pf@nne gravatar image

Moin!

I got some problems to understand the lua script language. I hope someone like to support me... :-)

My first Problem ist to dissect a 16 Byte timestamp. The timestamp is described as follows:

"For timestamp the length in hexadecimal is 16 as mentioned. Converting the hexdecimal to binary we get 128 bits." The timestamp is an Epoch from 01/01/1904 00:00:00.00 UTC. The MSB 64 bits is the 2's complement integer of seconds from Epoch. The LSB 64 is direct decimal N to calc decimal seconds. N*2^(-64).

Right nor I stuck to decode the first 8 Bytes (seconds from 1.1.1904). 

atime= ProtoField.absolute_time ("sitipe.atime", "test atime    " ,base.LOCAL),
timeFloat= ProtoField.double("sitipe.timeFloat", "test float    " ),

subtree:add_le(sitipe_fields.timeFloat,  buffer(6,8), time_stamp)

How to convert the seconds from the timestamp + TimeForm(1.1.1904) to a DateString?

edit retag flag offensive close merge delete

Comments

Is there a RFC or spec document you can share a link to?

Chuckc gravatar imageChuckc ( 2024-02-28 20:55:18 +0000 )edit

not realy, but I know the meaning of each byte in the payload.

The TimeStamp is contained in 2 x 8 bytes an was built in 2 steps:
Step 1: MSB - integer time in seconds since 1.1.1904 [0x 00 00 00 00 E1 F6 93 30] = 3.791.033.136 seconds
Step 2: LSB - integer time in micro seconds = description follows

local time_stamp = buffer(6,8):uint64() --seconds
subtree:add_le(sitipe_fields.timeint,  buffer(6,8), time_stamp)

local ts_days = time_stamp /60/60/24
subtree:add_le(sitipe_fields.timeFloat,  buffer(6,8), ts_days:todouble()) --how to print the double?

oletime = ProtoField.double("logger.oletime", "OLE time"),

-- Note: .int64 doesnt work so just using .int32
oletime_days    = ProtoField.int32("sitipe.oletime.days", "Days"),
oletime_partial = ProtoField.double("sitipe.oletime.partial", "Partial"),
oletime_abs     = ProtoField.absolute_time("sitipe.oleabstime", "OLE Abs time", base.UTC),

--local logger_tree = tree:add(p_logger, buffer(0,-1))
local OLE_DIFF_TO_UNIX = 25569  
local SECS_PER_DAY ...
(more)
Pf@nne gravatar imagePf@nne ( 2024-02-28 21:59:43 +0000 )edit

The timestamp format seems similar to LabVIEW Timestamp Overview.

Format timestamp in Python: How do I convert a LabVIEW decimal date into a string datetime format using Python?

Their example done in Wireshark Lua Console (WSDG - 11.1. Utility Functions):

print(format_date(3640111724.4817362 - 2082844800))

May  7, 2019 17:08:44.481736183 Central Daylight Time
Chuckc gravatar imageChuckc ( 2024-02-29 15:43:03 +0000 )edit

Hi Chuckc,

yes, indeed it is a LabView timestamp. My problem isnĀ“t to unterstand how to decode a LabView timestamp. My problem ist to unterstand how to convert / typecast the 2 x 8 Byte in my Lua dissector.

Maybe we should solve it step by step....

local time_stamp = buffer(6,8):uint64() --seconds
subtree:add_le(sitipe_fields.timeint,  buffer(6,8), time_stamp)

This works...

MSB - 0x 00 00 00 00 e1 f6 93 30 = 3.791.033.136 seconds from 1.1.1904.

This converts the seconds into days [double]

local ts_days = time_stamp /60/60/24

How to add the days to my tree?

  timeDouble     = ProtoField.double        ("sitipe.timeDouble"       , "test double    " ),

 local ts_days = 1.1
 ts_days = (time_stamp /60/60/24):double()
 subtree:add_le(sitipe_fields.timeDouble,  buffer(6,8), ts_days)

Lua Error: C:\Program Files\Wireshark\plugins\4.2\epan\SITIPE_MS.lua:58: No such 'double' method/field for object type 'UInt64'

Pf@nne gravatar imagePf@nne ( 2024-02-29 19:22:57 +0000 )edit

11.13.2. UInt64

11.13.2.8. uint64:tonumber() Returns a Lua number of the UInt64 value. This may lose precision. Since: 1.11.3

https://www.lua.org/pil/2.3.html

The number type represents real (double-precision floating-point) numbers.

    timeDouble = ProtoField.double("easypost.timeDouble", "test double" 
...
    local time_stamp = UInt64.fromhex("00000000E1F69330")
    print(time_stamp)
    local ts_days =  (time_stamp /60/60/24):tonumber()
    print(ts_days)
        subtree:add(pf.timeDouble, ts_days

Console output:

3791033136

43877

Tree data:

test double: 43877
Chuckc gravatar imageChuckc ( 2024-02-29 22:49:26 +0000 )edit
see more comments