Ask Your Question
0

multiple lua dissectors using same ports

asked 2020-04-09 16:47:14 +0000

BMWE gravatar image

Hello,

I custom dissectors (for each protocol) which uses same ports:

  1. protocol A uses ports 1000 and 2000 (some messages are with src and dst 1000, other with src 1000 and dst 2000)
  2. protocol B uses ports 2000 and 3000 (some messages are with src and dst 2000, other with src 2000 and dst 3000)
  3. protocol C1 uses ports 3000 and 4000 (some messages are with src and dst 3000, other with src 3000 and dst 4000)
  4. protocol C2 uses ports 4000 and 5000 (some messages are with src and dst 4000, other with src 4000 and dst 5000)

some additional information:

  • all those protocols have common header (lets say AB:CD), there maybe other protocols with same headers.
  • C1 and C2 are same protocols, but have different destination - therefore the differentiation.
  • For each protocol, two of the messages for each protocol are with pretty high rate (50msec).

I'd like to have some easy identification of those protocols in the Wireshark stream.

What is the suggestion for creating those dissectors? Some of the things I've thought of:

  • I can create all the protocols in one file and associate all those ports, but in such case it would be harder to identifiable (will have to add also port numbers for the filtering rather than only the name).
  • generate 3 dissectors and in each dissector to verify the (src,dst) ports - I've tried it, but it is not always working. probably there is a meaning for the order in the init.lua
edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-04-09 17:35:09 +0000

grahamb gravatar image

Can't you add them as one dissector, in that dissector determine the "sub-type" by inspecting the src and dst ports (pinfo) and adding a "generated" field that indicates the sub-type. This field can be added as a column and filtered on.

edit flag offensive delete link more

Comments

It is an option. I'd be glad glad if you can clarify little bit more on this, especially on the mentioned field

BMWE gravatar imageBMWE ( 2020-04-09 17:42:51 +0000 )edit

Create a ProtoField that reflects your protocol variants, type of your choosing, add it to the tree using a locally derived value from inspecting the ports, using add(YourProtoField, YourLocalValue), and call set_generated(TRUE) on the tree item previously added..

grahamb gravatar imagegrahamb ( 2020-04-10 07:40:54 +0000 )edit

OK, I see your point. I'll test it on next working day

BMWE gravatar imageBMWE ( 2020-04-10 08:01:15 +0000 )edit

Found an example in the Post dissector example, look at the ProtoField max_gap_field and local value max_gap .

grahamb gravatar imagegrahamb ( 2020-04-10 08:14:31 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2020-04-09 16:47:14 +0000

Seen: 400 times

Last updated: Apr 09 '20

Related questions

Testing Lua Dissectors [closed]

Is there a simple LUA script as an example for simple pcaps?

how to precompile and use precompiled lua dissectors

Lua dissector: Field extractor to get the last matched userdata

Custom sub protocols registering with a custom protocol's dissector table

How can I save the packet list exactly as Wireshark is displaying it as a JSON?

Adding a custom dissector to wireshark

Lua dissector is not processing the full TCP payload.

how to invert two bytes in lua script dissector ?

Adjusting Bit order and Endianess in LUA between Dissectors

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2