Ask Your Question
0

How to decode protobuf by wireshark

asked 2020-04-13 09:37:32 +0000

wwwkkkzzz gravatar image

I have the version 3.3.0 of wireshark, And I have a test.pcapng .How can be decode it. I just select one data,right click-> "Decode as" , I want change it protocol, but there not found ProtoBuf in current column. Is there have detail manul for decode the Protobuf.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2020-05-20 16:40:53 +0000

Skison gravatar image

To support protobuf over tcp, you can write a Lua script and put it in your Lua plugins directory ("Help->About Wireshark->Folders->Personal Lua Plugins").

The file name might be "protobuf_tcp.lua", and the content likes:

do
    local protobuf_tcp_proto = Proto("protobuf_tcp", "Protobuf over TCP")
    local protobuf_dissector = Dissector.get("protobuf")
    local f_length = ProtoField.uint32("protobuf_tcp.length", "Length", base.DEC)
    protobuf_tcp_proto.fields = { f_length }
    -- This must be the root message defined in your .proto file
    local message_type = "tutorial.AddressBook"

    function protobuf_tcp_proto.dissector(tvb, pinfo, tree)
        local offset = 0
        local remaining_len = tvb:len()
        local subtree = tree:add(protobuf_tcp_proto, tvb())
        pinfo.columns.protocol:set("PB_TCP")
        while remaining_len > 0 do
            if remaining_len < 4 then -- head not enough
                pinfo.desegment_offset = offset
                pinfo.desegment_len = DESEGMENT_ONE_MORE_SEGMENT
                return -1
            end

            local data_len = tvb(offset, 4):uint()

            if remaining_len - 4 < data_len then -- data not enough
                pinfo.desegment_offset = offset
                pinfo.desegment_len = data_len - (remaining_len - 4)
                return -1
            end
            subtree:add(f_length, tvb(offset, 4))

            pinfo.private["pb_msg_type"] = "message," .. message_type
            pcall(Dissector.call, protobuf_dissector, tvb(offset + 4, data_len):tvb(), pinfo, subtree)

            offset = offset + 4 + data_len
            remaining_len = remaining_len - 4 - data_len
        end
    end

    -- TCP port
    DissectorTable.get("tcp.port"):add(18127, protobuf_tcp_proto)
end

Remember to replace "tutorial.AddressBook" with the fullname of the root message defined in your .proto file and tcp port 18127 with your tcp port of your capture file.

You should be sure your .proto file is in the "Protobuf search paths", and make sure "load all files" option checked.

You can use "decode as" now if your message types for all tcp ports are the same.

Certainly, you can make the message type for each tcp port different and configurable by adding something like: protobuf_tcp_proto.prefs.tcp_port_message_maps = Pref.string("TCP Ports and Message Maps", "18127:tutorial.AddressBook", "Format: port1:message.type1,port2:message.type2,...") But that need more code.

edit flag offensive delete link more

Comments

Now, you can refer to https://gitlab.com/wireshark/wireshar... for more details about wireshark protobuf dissector.

Skison gravatar imageSkison ( 2020-11-20 11:10:51 +0000 )edit
0

answered 2020-04-13 10:43:33 +0000

grahamb gravatar image

You need to supply a .proto file that describes the protobuf format in use. See this page and the following one, from the User's Guide that describes how you can configure this.

edit flag offensive delete link more

Comments

Yes,I config it already, in "Edit"->"Prefences"->"Protocols"->"Protobuf" . Did I nedd selecte the Data Row, and right click-> Decode As ?

wwwkkkzzz gravatar imagewwwkkkzzz ( 2020-04-13 11:24:36 +0000 )edit

If your traffic is over UDP, then set the ports and message types in the dissector preference accordingly, else your traffic must be over HTTP using grpc.

grahamb gravatar imagegrahamb ( 2020-04-13 11:48:51 +0000 )edit

Yes,it UDP. But how to set the dissector?

wwwkkkzzz gravatar imagewwwkkkzzz ( 2020-04-13 11:54:21 +0000 )edit

As per the 2nd page for protobuf in the User Guide. Initially leave the message type blank, just set the ports.

grahamb gravatar imagegrahamb ( 2020-04-13 11:58:45 +0000 )edit

Yes,I Set the UDP ports :8002,and let the "Message" and "Type" blank.But there is no change on the table. If I need to select the data row and right click, -> Docode As ....

wwwkkkzzz gravatar imagewwwkkkzzz ( 2020-04-13 12:21:59 +0000 )edit

Can you share your capture file? Use a public share such as Google Drive, DropBox etc and post a link back here.

grahamb gravatar imagegrahamb ( 2020-04-13 12:58:34 +0000 )edit

Doesn't seem to be any UDP traffic in those captures that looks like Protobuf. can you give the source and dest ip addresses.

grahamb gravatar imagegrahamb ( 2020-04-13 13:36:56 +0000 )edit

The source ip and Dest ip are both local network trafic. https://drive.google.com/file/d/1bakt...

wwwkkkzzz gravatar imagewwwkkkzzz ( 2020-04-13 13:42:43 +0000 )edit

This is come from TCP socket (local network), send data by protobuf. https://drive.google.com/open?id=1y4x...

wwwkkkzzz gravatar imagewwwkkkzzz ( 2020-04-13 13:53:08 +0000 )edit

So when I asked if your traffic was over UDP and you said yes, you meant except for the traffic over TCP. That capture (dumpcap.pcap) can be ignored.

In the other capture (vcs.pcapng), when I filter for UDP, there doesn't seem to be any traffic that looks like protobuf. In this capture what are the source and dest ip addresses and ports?

grahamb gravatar imagegrahamb ( 2020-04-13 14:09:54 +0000 )edit
wwwkkkzzz gravatar imagewwwkkkzzz ( 2020-04-14 12:02:51 +0000 )edit

The most recent capture contains a single TCP packet. As I've noted in previous comments, the protobuf dissector only supports protobuf traffic over UDP or gRPC.

grahamb gravatar imagegrahamb ( 2020-04-14 13:02:58 +0000 )edit

How about the vcs.pcapng ? this is aboslutly can be dissected ,because I can use the plugin-in for wireshark -protobuf Version 1.8.6 dissect the data. But I don't know how to discode it by wireshark version 3.2.0.

wwwkkkzzz gravatar imagewwwkkkzzz ( 2020-04-15 03:02:40 +0000 )edit

The older protobuf plugin is a different dissector to the one currently built-in so behaves differently. The vcs.pcapng contains a lot of random traffic can you identify which traffic (src, dest IP and ports) is protobuf? Even better, filter the capture to only have protobuf traffic and share it again,

grahamb gravatar imagegrahamb ( 2020-04-15 09:58:58 +0000 )edit

https://drive.google.com/open?id=1B2z... I resent this file (vs22.pcapng) only one data row ...

wwwkkkzzz gravatar imagewwwkkkzzz ( 2020-04-15 15:01:49 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-04-13 09:37:32 +0000

Seen: 9,930 times

Last updated: May 20 '20