# LUA wireshark dissector - combine data from 2 UDP packets

(21.9 - complete question revision)

Hello

I have fixed size (lets say 100) protocol, based on the UDP. The protocol contains the header which indicates where the first complete sub-message is located (location 5 in the buffer). Sub-messages starts at location 10 and may vary in sizes.

Also, following scenario may occur.

Packet contains some some sub-messages where each one of them is dealt separately. However, it maybe that one of the sub-messages will be greater than the rest of the whole packet length (lets say that this sub-message length is starting at location 95 and its length is 12 bytes) and therefore the sub-message would be split into 2 packets as shown below - first part would be in packet x (5 bytes) and the rest in packet x+1 (7 bytes). In such case, in message x+1 first sub-message location indicator will be 17 instead of 10.

Any way, as the sub-message N is split, my applicative SW can't handle till the whole sub-message would be available and therefore I'd like to dissect packet N (N1+N2) in packet x+1.

Currently I have a dissector which can handle packets where the sub-message is not filling the whole buffer (i.e. sub-messages are less than 100 Bytes) or in case of packet x, it will parse only the 5 bytes. in case of packet x+1, it will start with sub-message 1 and will skip the N2.

I need some assistance with implementing the combining N1 with packet x+1 (except the header) so that it can be processed accordingly. I've found that I have to use the ByteArray to store the data between packet x and x+1 but getting lost with the implementation. Some code example with explanations would be appropriated.

edit retag close merge delete

Sort by » oldest newest most voted

To reassamble a certain portion of UDP fragments you must declare init() function. This init function is initialized when wireshark starts up. For example:

function NDN_protocol.init()
fragmPkts = {}  -- global array table will hold the fragmts from different fragmntsPkts.
end


Then write a function that allows you to append fragments to the table array. Which you can use later to concatenate to make a tvb buffer.

function ASSEMBLE_FRAGMENTS(fragBuff, packetKey, fragIndexVal, fragCountVal)
local fragDataTvb = nil
fragIndexVal = tonumber(tostring(fragIndexVa),16)
fragCountVal =  tonumber(tostring(fragCountVal ),16)

if fragmPkts[packetKey] == nil then
fragmPkts[packetKey] = {}     -- create a new row per packet set
else
fragmPkts[packetKey][fragIndexVal] = fragBuff:bytes()   -- add to fragment to table

for i, v in pairs(fragmPkts[packetKey]) do
end

-- fragIndex starts from zero
if (pkt_received == fragCountVal and fragIndexVal == fragCountVal-1) then
fragDataTvb = ByteArray.new()

TABLE_SORT(fragmPkts[packetKey])  -- function to sort out of order Fragpkts.

for i = 0, fragCountVal-1 do
fragDataTvb:append(fragmPkts[packetKey][i])
end
fragDataTvb= ByteArray.tvb(fragDataTvb, "Reassembled Fragment")
end
end
return  fragDataTvb   --returns a reassembled fragment buffer
end


more

Assuming the transport is TCP, your dissector will need to reassemble the TCP segments. Refer to the Wireshark Lua/Dissectors wiki page for general guidelines on TCP reassembly. The Lua/Examples wiki page also provides a sample dissector, namely fpm.lua, that serves as an excellent example Lua script for a TCP-based protocol dissector.

If the transport is something other than TDP, say UDP for example, then you will have to figure out how to reassemble the messages yourself, but the basic principles from the TCP example will generally apply.

more

( 2019-09-21 15:42:24 +0000 )edit

Hello @cmaynard, I've implemented this combining, however, for packet X+1, I'm getting error if I wasn't clicked on packet X. Any suggestion what could be done?

( 2020-06-23 11:40:50 +0000 )edit