Ask Your Question
0

Adjusting Bit order and Endianess in LUA between Dissectors

asked 2017-11-03 11:37:45 +0000

Richard S gravatar image

Hi,

before I start my endeavor a quick check with the experts. I have an iWARP/RDMA trace, but apparently the HBA/NIC is sending the DDP/RDMA header already in host-bit/byte order (x86) and not according to RFC5040 (et al).

The built-in C-dissector for iWARP naturally can't detect that as proper iWARP traffic (was able to specifically bind the tcp port to the dissector in LUA, but due to the erraneous bit- and byte-ordering, the dissector cann't deal with it.

Here the Q:

Is it possible to have a Lua Dissector in between built-in C-dissectors, and how can I bind a built-in dissector to the output of my lua dissector? I plan to have Lua reverse the wire-bit/byte order to the expected litte-endian bit/byte order of all IETF described fields, so that the iWARP dissector works properly...

Best regards, Richard

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2017-11-04 13:12:16 +0000

Richard S gravatar image

updated 2017-11-04 13:22:33 +0000

sindy gravatar image

Correct, I mistakenly assumed the iwarp_mpa_tcp heuristic to properly find streams even without the handshake, when I point the iwarp_ddp dissector to a tcp session using Lua - which it doesn't (now obviously).

There seems to be a pretty old Bug 12361 where that exact same issue also caused a lot of confusion. I don't have the toolchain to make a windows binary of a fixed iwarp_mpa_tcp dissector that registers in the tcp.port dissector table (and provides a simple dissector for in-stream MPA header/CRC only). I don't know how to update that bug report. Providing the registering of the dissector (so that one can manually bind it to a specific port), and the dissector not solely relying on the conversation previously being found to be MPA (but simply assume the MPA framing and go from there) would be extremely helpful.

I guess in the meantime I have to take the C source of iwarp_mpa_tcp, recode that - excluding the heuristic - as Lua dissector.

(Having the capability within Lua to tell heuristic dissectors to work on a specific packet would be good too, going forward).

Thanks, Richard

edit flag offensive delete link more

Comments

To update bugs, you only need to register at bugs.wireshark.org. Once logged in, you can update bugs as needed.

sindy gravatar imagesindy ( 2017-11-04 13:26:41 +0000 )edit
0

answered 2017-11-03 13:22:07 +0000

sindy gravatar image

updated 2017-11-03 13:35:13 +0000

Is it possible to have a Lua Dissector in between built-in C-dissectors?

Yes. Lua dissectors can invoke built-in dissectors and vice versa.

how can I bind a built-in dissector to the output of my lua dissector?

By fetching a reference to it and calling it as any other function from your Lua code, passing it the same parameters which any dissector expects.

I plan to have Lua reverse the wire-bit/byte order to the expected litte-endian bit/byte order of all IETF described fields

And this is the part which is not obvious. No dissector can modify the contents of the frame, it is read-only. So in your Lua dissector, you have to create a new tvb structure, containing a reordered copy of the original tvb, and feed the iWARP dissector with a link to this structure instead of the original tvb. The result will be similar to how the dissection of a complete HTTP message is shown in the dissection three of the last one of the TCP segments carrying it - the packet bytes pane will contain another tab with only the rearranged bytes in it, and the packet dissection pane will show the full tree including the iWARP part of it. Your inserted dissector would look approximately like below - not tested, just a rough idea quickly extracted from a remotely similar scenario:

...
my origDissector = dissector.get("iwarp") -- or what is the dissector/protocol name
-- as you are going to replace the original dissector by your intermediate one
-- in the dissector table of the underlying layer\'s dissector, you may as well fetch
-- the link to the original dissector from that dissector table before replacing it
-- with your own one - in such case you don\'t need to know the name
...

function MyAuxProto.dissector(buffer,pinfo,tree)
    local MyArray = ByteArray.new("00")
    MyArray:set_size(buffer.len())
    -- now fill MyArray with a byte-reordered copy of buffer
    local MyTvb = ByteArray.tvb(MyArray,"reorderedBytes")
    return origDissector(MyTvb,pinfo,tree)
end
edit flag offensive delete link more

Comments

Thanks a lot!

So, I got confused - there is actually the iwarp_map layer present, but wireshark doesn't list any MPA dissector when iterating over all dissectors (using 2.4.2 - and https://wiki.wireshark.org/iWARP-MPA states it should be part of the standard package...). Anyone know where that dissector is?

Richard S gravatar imageRichard S ( 2017-11-03 23:50:03 +0000 )edit

Well, the link you've provided contains the following information:

Protocol dependencies
TCP: Typically, iWARP-MPA uses TCP as its transport protocol. There is no well known port for iWARP-MPA

Which is kind of obvious if you know the purpose of iWARP, which I didn't when writing the Answer. So stay tuned, I'm going to update the Answer.

sindy gravatar imagesindy ( 2017-11-04 07:26:00 +0000 )edit

Hm, not as easy as I thought, seems an important functionality is missing in the Lua API, see this recent question. So to prevent posting an untested suggestion as an Answer, please provide a sample capture so that I could check my thoughts on it. Login-free publishing of the capture file on Cloudshark or any file sharing service and editing the Question with a link to it is the preferred method at this site.

sindy gravatar imagesindy ( 2017-11-04 08:26:01 +0000 )edit

Hi Sindy, seems like the iwarp_mpa heuristic expects a tcp iwarp stream to be present from the beginning, if i read the c code correctly; in my case, the captures are in mid-stream (with locally known, static ports), and probably the heuristic will not detect it because all the handshakes (tcp syn, mpa negotiation,...) are missing. There is a iwarp sample available: https://wiki.wireshark.org/SampleCapt... ; if you export just packet 11 from the "write" trace, you have a mid-stream MPA/DDP/RDMA frame that does not get decoded (because all the handshaking is missing). I need to convince the iwarp_mpa_tcp to just decode that without going through any heuristic... I'm looking at those kinds of packets, just millions of them... and no way to get the handshake as that would be disruptive to the hosts/applications (unfeasible). Finally, but that should something Lua should be capable of ...(more)

Richard S gravatar imageRichard S ( 2017-11-04 10:39:48 +0000 )edit

Should I read that as that you've found out that the reason why your iWARP packets don't get decoded properly is not the wrong endianness of some of their fields but the fact that the stream setup is missing in the capture? If so, there is little point in trying to find out how to insert a dissector between tcp and any of its heuristic dissectors, which seems impossible with the current Lua API in general, and for iwarp_mpa in particular there are additional limitations.

A heuristic dissector of a protocol hooks in two entry points, one for packets which need to be classified using the heuristic and another one for packets belonging to a conversation previously identified as belonging to that protocol. But unlike for "standard" dissectors, you cannot read a link to the classification function back from a heuristic dissection table, nor is there any other ...(more)

sindy gravatar imagesindy ( 2017-11-04 11:22:14 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-11-03 11:37:45 +0000

Seen: 72 times

Last updated: Nov 04