How to decode protobuf by wireshark

asked 2020-04-13 09:37:32 +0000

wwwkkkzzz
1 ●1 ●6 ●2

I have the version 3.3.0 of wireshark, And I have a test.pcapng .How can be decode it. I just select one data,right click-> "Decode as" , I want change it protocol, but there not found ProtoBuf in current column. Is there have detail manul for decode the Protobuf.

edit retag flag offensive close merge delete

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2020-05-20 16:40:53 +0000

Skison
1 ●1

To support protobuf over tcp, you can write a Lua script and put it in your Lua plugins directory ("Help->About Wireshark->Folders->Personal Lua Plugins").

The file name might be "protobuf_tcp.lua", and the content likes:

do
    local protobuf_tcp_proto = Proto("protobuf_tcp", "Protobuf over TCP")
    local protobuf_dissector = Dissector.get("protobuf")
    local f_length = ProtoField.uint32("protobuf_tcp.length", "Length", base.DEC)
    protobuf_tcp_proto.fields = { f_length }
    -- This must be the root message defined in your .proto file
    local message_type = "tutorial.AddressBook"

    function protobuf_tcp_proto.dissector(tvb, pinfo, tree)
        local offset = 0
        local remaining_len = tvb:len()
        local subtree = tree:add(protobuf_tcp_proto, tvb())
        pinfo.columns.protocol:set("PB_TCP")
        while remaining_len > 0 do
            if remaining_len < 4 then -- head not enough
                pinfo.desegment_offset = offset
                pinfo.desegment_len = DESEGMENT_ONE_MORE_SEGMENT
                return -1
            end

            local data_len = tvb(offset, 4):uint()

            if remaining_len - 4 < data_len then -- data not enough
                pinfo.desegment_offset = offset
                pinfo.desegment_len = data_len - (remaining_len - 4)
                return -1
            end
            subtree:add(f_length, tvb(offset, 4))

            pinfo.private["pb_msg_type"] = "message," .. message_type
            pcall(Dissector.call, protobuf_dissector, tvb(offset + 4, data_len):tvb(), pinfo, subtree)

            offset = offset + 4 + data_len
            remaining_len = remaining_len - 4 - data_len
        end
    end

    -- TCP port
    DissectorTable.get("tcp.port"):add(18127, protobuf_tcp_proto)
end

Remember to replace "tutorial.AddressBook" with the fullname of the root message defined in your .proto file and tcp port 18127 with your tcp port of your capture file.

You should be sure your .proto file is in the "Protobuf search paths", and make sure "load all files" option checked.

You can use "decode as" now if your message types for all tcp ports are the same.

Certainly, you can make the message type for each tcp port different and configurable by adding something like: protobuf_tcp_proto.prefs.tcp_port_message_maps = Pref.string("TCP Ports and Message Maps", "18127:tutorial.AddressBook", "Format: port1:message.type1,port2:message.type2,...") But that need more code.

edit flag offensive delete link

Comments

Now, you can refer to https://gitlab.com/wireshark/wireshar... for more details about wireshark protobuf dissector.

Skison ( 2020-11-20 11:10:51 +0000 )edit

add a comment

answered 2020-04-13 10:43:33 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23790 ●4 ●950 ●227 https://www.wireshark.org

You need to supply a .proto file that describes the protobuf format in use. See this page and the following one, from the User's Guide that describes how you can configure this.

edit flag offensive delete link

Comments

Yes,I config it already, in "Edit"->"Prefences"->"Protocols"->"Protobuf" . Did I nedd selecte the Data Row, and right click-> Decode As ?

wwwkkkzzz ( 2020-04-13 11:24:36 +0000 )edit

If your traffic is over UDP, then set the ports and message types in the dissector preference accordingly, else your traffic must be over HTTP using grpc.

grahamb ( 2020-04-13 11:48:51 +0000 )edit

Yes,it UDP. But how to set the dissector?

wwwkkkzzz ( 2020-04-13 11:54:21 +0000 )edit

As per the 2nd page for protobuf in the User Guide. Initially leave the message type blank, just set the ports.

grahamb ( 2020-04-13 11:58:45 +0000 )edit

Yes,I Set the UDP ports :8002,and let the "Message" and "Type" blank.But there is no change on the table. If I need to select the data row and right click, -> Docode As ....

wwwkkkzzz ( 2020-04-13 12:21:59 +0000 )edit

Can you share your capture file? Use a public share such as Google Drive, DropBox etc and post a link back here.

grahamb ( 2020-04-13 12:58:34 +0000 )edit

File can download by : https://drive.google.com/open?id=1bak...https://drive.google.com/open?id=1y4x...

wwwkkkzzz ( 2020-04-13 13:20:33 +0000 )edit

The 2 Files can download by : https://drive.google.com/open?id=1bak...https://drive.google.com/open?id=1y4x...

wwwkkkzzz ( 2020-04-13 13:21:02 +0000 )edit

Doesn't seem to be any UDP traffic in those captures that looks like Protobuf. can you give the source and dest ip addresses.

grahamb ( 2020-04-13 13:36:56 +0000 )edit

The source ip and Dest ip are both local network trafic. https://drive.google.com/file/d/1bakt...

wwwkkkzzz ( 2020-04-13 13:42:43 +0000 )edit

This is come from TCP socket (local network), send data by protobuf. https://drive.google.com/open?id=1y4x...

wwwkkkzzz ( 2020-04-13 13:53:08 +0000 )edit

So when I asked if your traffic was over UDP and you said yes, you meant except for the traffic over TCP. That capture (dumpcap.pcap) can be ignored.

In the other capture (vcs.pcapng), when I filter for UDP, there doesn't seem to be any traffic that looks like protobuf. In this capture what are the source and dest ip addresses and ports?

grahamb ( 2020-04-13 14:09:54 +0000 )edit

I resent the .pcap, these two file is only one data. https://drive.google.com/open?id=1lRl...https://drive.google.com/open?id=1KEt...

wwwkkkzzz ( 2020-04-14 12:02:51 +0000 )edit

The most recent capture contains a single TCP packet. As I've noted in previous comments, the protobuf dissector only supports protobuf traffic over UDP or gRPC.

grahamb ( 2020-04-14 13:02:58 +0000 )edit

How about the vcs.pcapng ? this is aboslutly can be dissected ,because I can use the plugin-in for wireshark -protobuf Version 1.8.6 dissect the data. But I don't know how to discode it by wireshark version 3.2.0.

wwwkkkzzz ( 2020-04-15 03:02:40 +0000 )edit

The older protobuf plugin is a different dissector to the one currently built-in so behaves differently. The vcs.pcapng contains a lot of random traffic can you identify which traffic (src, dest IP and ports) is protobuf? Even better, filter the capture to only have protobuf traffic and share it again,

grahamb ( 2020-04-15 09:58:58 +0000 )edit

https://drive.google.com/open?id=1B2z... I resent this file (vs22.pcapng) only one data row ...

wwwkkkzzz ( 2020-04-15 15:01:49 +0000 )edit

see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

How to decode protobuf by wireshark

2 Answers

Comments

Comments

Your Answer

Question Tools

Stats

Related questions

How to decode protobuf by wireshark edit

2 Answers

Comments

Comments

Your Answer

Question Tools

Stats

Related questions

How to decode protobuf by wireshark