Ask Your Question
0

LUA wireshark dissector - combine data from 2 UDP packets

asked 2019-09-16 06:13:33 +0000

BMWE gravatar image

updated 2019-09-21 15:41:56 +0000

(21.9 - complete question revision)

Hello

I have fixed size (lets say 100) protocol, based on the UDP. The protocol contains the header which indicates where the first complete sub-message is located (location 5 in the buffer). Sub-messages starts at location 10 and may vary in sizes.

Also, following scenario may occur.

Packet contains some some sub-messages where each one of them is dealt separately. However, it maybe that one of the sub-messages will be greater than the rest of the whole packet length (lets say that this sub-message length is starting at location 95 and its length is 12 bytes) and therefore the sub-message would be split into 2 packets as shown below - first part would be in packet x (5 bytes) and the rest in packet x+1 (7 bytes). In such case, in message x+1 first sub-message location indicator will be 17 instead of 10.

Protocol Structure

Any way, as the sub-message N is split, my applicative SW can't handle till the whole sub-message would be available and therefore I'd like to dissect packet N (N1+N2) in packet x+1.

Currently I have a dissector which can handle packets where the sub-message is not filling the whole buffer (i.e. sub-messages are less than 100 Bytes) or in case of packet x, it will parse only the 5 bytes. in case of packet x+1, it will start with sub-message 1 and will skip the N2.

I need some assistance with implementing the combining N1 with packet x+1 (except the header) so that it can be processed accordingly. I've found that I have to use the ByteArray to store the data between packet x and x+1 but getting lost with the implementation. Some code example with explanations would be appropriated.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2021-07-14 16:40:10 +0000

ng215 gravatar image

updated 2021-07-14 17:01:17 +0000

To reassamble a certain portion of UDP fragments you must declare init() function. This init function is initialized when wireshark starts up. For example:


function NDN_protocol.init()
    fragmPkts = {}  -- global array table will hold the fragmts from different fragmntsPkts.
end

Then write a function that allows you to append fragments to the table array. Which you can use later to concatenate to make a tvb buffer.

function ASSEMBLE_FRAGMENTS(fragBuff, packetKey, fragIndexVal, fragCountVal)
    local fragDataTvb = nil
    fragIndexVal = tonumber(tostring(fragIndexVa),16) 
    fragCountVal =  tonumber(tostring(fragCountVal ),16)

    if fragmPkts[packetKey] == nil then
        fragmPkts[packetKey] = {}     -- create a new row per packet set
    else
        fragmPkts[packetKey][fragIndexVal] = fragBuff:bytes()   -- add to fragment to table

        local pkt_received = 0    -- must count actual pkts received
        for i, v in pairs(fragmPkts[packetKey]) do
            pkt_received = pkt_received + 1
        end

         -- fragIndex starts from zero                          
        if (pkt_received == fragCountVal and fragIndexVal == fragCountVal-1) then 
            fragDataTvb = ByteArray.new()

            TABLE_SORT(fragmPkts[packetKey])  -- function to sort out of order Fragpkts.

            for i = 0, fragCountVal-1 do
                fragDataTvb:append(fragmPkts[packetKey][i])
            end
            fragDataTvb= ByteArray.tvb(fragDataTvb, "Reassembled Fragment")
        end
    end
    return  fragDataTvb   --returns a reassembled fragment buffer
end

Follow additional example posted at this url : https://osqa-ask.wireshark.org/questi...

edit flag offensive delete link more
0

answered 2019-09-16 16:02:51 +0000

cmaynard gravatar image

Assuming the transport is TCP, your dissector will need to reassemble the TCP segments. Refer to the Wireshark Lua/Dissectors wiki page for general guidelines on TCP reassembly. The Lua/Examples wiki page also provides a sample dissector, namely fpm.lua, that serves as an excellent example Lua script for a TCP-based protocol dissector.

If the transport is something other than TDP, say UDP for example, then you will have to figure out how to reassemble the messages yourself, but the basic principles from the TCP example will generally apply.

edit flag offensive delete link more

Comments

question was revised to be more informative

BMWE gravatar imageBMWE ( 2019-09-21 15:42:24 +0000 )edit

Hello @cmaynard, I've implemented this combining, however, for packet X+1, I'm getting error if I wasn't clicked on packet X. Any suggestion what could be done?

BMWE gravatar imageBMWE ( 2020-06-23 11:40:50 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-09-16 06:13:33 +0000

Seen: 961 times

Last updated: Jul 14