Lua script for statistics from Diameter 3GPP

asked 2020-02-19 21:35:30 +0000

Jarek Hartman gravatar image

updated 2020-02-25 10:18:40 +0000

Hi experts,

I'm trying to create a lua script to go through a Diameter pcap, gather information interesting for me and generate a statistic.

This is partially successful, working script can be found in GitHub but I'm still having some doubts

Field.new() and multiple occurrences of an AVP

I'm using Field.new() to retrieve AVPs, for example:

local rrField = Field.new("diameter.3GPP-Reporting-Reason")
local toField = Field.new("diameter.CC-Total-Octets")

But in a single packet there might be multiple occurrences of an AVP. Of course, I can access them as an array from

local rrFields = {rrField()}
local toFields = {toField()}

But I'm missing a reference where from the AVP was retrieved. A a good example is Result-Code AVP:

image description

It this single Diameter message it occurs three times, but in result I'm getting just an array of three 2001's without a good understanding on which level this appeared.

Situation is becoming even more messy when a single package contains multiple Diameter messages. Then I even cannot figure from which message the AVP is.

Function tap.packet(pinfo, tvb, tapdata) does not populate tapdata

Another idea was to dig into tapdata. If I understood correctly 11.4.1.5. listener.packet, the tapdata (aka tapinfo) shall be populated with dissected data, right? Hence I should be able to parse the message.

However, regardless how hard I try, tapdata always is unset (i.e. nil). In GitHub code

       tap = Listener.new("diameter", filter)

but I also experimented with the 3rd parameter, setting it to true (hoping for generating all fields, even in cost of performance penalty). No luck.

Question

  • Is this approach right? Or should I use other ways - such as chained dissectors or post dissector? But it was not clear to me if I can access dissected data to the level I need?

Any help will be very much appreciated.

Thank you in advance and best regards, Jarek

edit retag flag offensive close merge delete

Comments

Update 2020/03/20

Self-answering to Function tap.packet(pinfo, tvb, tapdata) does not populate tapdata

After examining source code of Wireshark (tshark) it turns out that when processing Diameter, tshark does not populate this variable as tapdata does not have reference to this protocol. I've tried to add it to taps definition and the variable (table) has been populated, even names of the hashes are OK. But variables in the hashes are not... Anyway, here is the change:

MBP:wireshark jhartman$ git diff epan/wslua/taps
diff --git a/epan/wslua/taps b/epan/wslua/taps
index 11b1132171..ea28865109 100644
--- a/epan/wslua/taps
+++ b/epan/wslua/taps
@@ -62,4 +62,5 @@ tcp ../dissectors/packet-tcp.h tcp_info_t
 #tls ../dissectors/packet-tls.h ssl_info_t
 #tr ../dissectors/packet-tr.h tr_info_t
 wlan ../dissectors/packet-ieee80211.h wlan_hdr_t
+diameter ../dissectors/packet-diameter.h diam_sub_dis_t
 #wsp ../dissectors/packet-wsp.h wsp_info_t
Jarek Hartman gravatar imageJarek Hartman ( 2020-03-20 19:08:45 +0000 )edit

Hi Jarek, We're you able to solve your problem with the diameter lua dissector. I want to support/write my own diameter protocol in lua for all avps of diameter. Do you have any suggestions on how to get started with it?

DeepakB gravatar imageDeepakB ( 2020-12-17 11:35:08 +0000 )edit
add a comment