1 | initial version |
Sorry for the very late response here. I had asked about the link layer type but never received a response and then I forgot all about this question. I stumbled across this question again today, so I'll attempt to answer it now.
If you're able to write a pcap file, then you must set the Data Link Type (or DLT for short) to one of the user-defined types, 147-162. Here I'll assume you use DLT 150. If you already have a pcap capture file and need to change the encapsulation type, you can do so with editcap
. For example:
editcap -T user3 -input.pcap output.pcap
If instead you have a text file, then you can use text2pcap
to convert the file into a pcap file with the appropriate DLT type. For example, let's say your protocol is foo and your foo.txt file contains the following data representing 8 bytes - 1 byte for address and 7 bytes of device data:
000000 31 31 32 33 34 35 36 37
You can convert the data to a pcap file using something like so:
text2pcap -l 150 foo.txt foo.pcap
If you load that foo.pcap file into Wireshark, you should see the packet details pane initially depicted as:
Frame 1: 8 bytes on wire (64 bits), 8 bytes captured (64 bits)
User encapsulation not handled: DLT=150, check your Preferences->Protocols->DLT_USER
Data (8 bytes)
Now you need to tell Wirehsark how this DLT should be dissected. To do that, navigate the GUI to Edit -> Preferences -> Protocols -> DLT_USER and then click on the Edit button next to the Encapsulations Table. Add a new DLT lookup with the +
, select "User 3 (DLT=150)" with the payload protocol set to foo and click OK
. You should now see your data dissected according to your Lua dissector.
For more information about how to dissect anything, refer to the Wireshark wiki page on How To Dissect Anything.
Of course up until now, I've assumed that you have a foo.lua file written, but in case you don't, below is a very simple one that should help you get started:
local p_foo = Proto("foo", "FOO")
local pf = {
address = ProtoField.uint8("foo.address", "Address", base.DEC),
data = ProtoField.bytes("foo.data", "Data", base.NONE)
}
p_foo.fields = pf
function p_foo.dissector(buf, pinfo, tree)
local foo_tree = tree:add(p_foo, buf(0,-1))
pinfo.cols.protocol:set("FOO")
foo_tree:add(pf.address, buf(0, 1))
foo_tree:add(pf.data, buf(1, buf:len()-1))
end
Now that you have a Lua dissector written and the DLT registered, you should see something like so:
Frame 1: 8 bytes on wire (64 bits), 8 bytes captured (64 bits)
DLT=150, Payload: foo (FOO)
FOO
Address: 49
Data: 31323334353637
There are many Lua resources available to help you further, and I'll direct you to my answer to a question over on Stack Overflow that lists many of them. Don't forget about the Lua 5.2 Reference Manual as well.