Ask Your Question
0

LUA wireshark dissector - combine data from 2 UDP packets

asked 2019-09-16 06:13:33 +0000

BMWE gravatar image

updated 2019-09-21 15:41:56 +0000

(21.9 - complete question revision)

Hello

I have fixed size (lets say 100) protocol, based on the UDP. The protocol contains the header which indicates where the first complete sub-message is located (location 5 in the buffer). Sub-messages starts at location 10 and may vary in sizes.

Also, following scenario may occur.

Packet contains some some sub-messages where each one of them is dealt separately. However, it maybe that one of the sub-messages will be greater than the rest of the whole packet length (lets say that this sub-message length is starting at location 95 and its length is 12 bytes) and therefore the sub-message would be split into 2 packets as shown below - first part would be in packet x (5 bytes) and the rest in packet x+1 (7 bytes). In such case, in message x+1 first sub-message location indicator will be 17 instead of 10.

Protocol Structure

Any way, as the sub-message N is split, my applicative SW can't handle till the whole sub-message would be available and therefore I'd like to dissect packet N (N1+N2) in packet x+1.

Currently I have a dissector which can handle packets where the sub-message is not filling the whole buffer (i.e. sub-messages are less than 100 Bytes) or in case of packet x, it will parse only the 5 bytes. in case of packet x+1, it will start with sub-message 1 and will skip the N2.

I need some assistance with implementing the combining N1 with packet x+1 (except the header) so that it can be processed accordingly. I've found that I have to use the ByteArray to store the data between packet x and x+1 but getting lost with the implementation. Some code example with explanations would be appropriated.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-09-16 16:02:51 +0000

cmaynard gravatar image

Assuming the transport is TCP, your dissector will need to reassemble the TCP segments. Refer to the Wireshark Lua/Dissectors wiki page for general guidelines on TCP reassembly. The Lua/Examples wiki page also provides a sample dissector, namely fpm.lua, that serves as an excellent example Lua script for a TCP-based protocol dissector.

If the transport is something other than TDP, say UDP for example, then you will have to figure out how to reassemble the messages yourself, but the basic principles from the TCP example will generally apply.

edit flag offensive delete link more

Comments

question was revised to be more informative

BMWE gravatar imageBMWE ( 2019-09-21 15:42:24 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-09-16 06:13:33 +0000

Seen: 85 times

Last updated: Sep 21