can't get ZCL cluster id with LUA dissector
I have specific data in the payload of a ZCL message, for which I want the (decoded) data to be shown in the packet detail pane.
My dissector as follow:
-- create a new dissector
local NAME = "LM_FCC0"
local CID = 0xFCC0
local LM_FCC0 = Proto(NAME, "lm 0xFCC0 Protocol")
-- dissect packet
function LM_FCC0.dissector (tvb, pinfo, tree)
pinfo.cols.protocol = LM_FCC0.name
pinfo.cols.info:prepend_text(" LM Info")enter code here
local subtree = tree:add(LM_FCC0, tvb())
length = tvb:len()
subtree:append_text(", length:" .. length)
end
DissectorTable.get("zbee.zcl.cluster"):add(CID, LM_FCC0)
when I loaded the dissector, I can find it in the View -> Internals -> Dissector Tables, but the dissector isn't work.
Somebody please guide me what is my mistake?
//modify+++++++++++++++++
the attachment is my sniffer log. you can find the 0xFCC0 in the 642 line
I can't upload the attachment. I put the attachment on GitHub. The depositary address is as follows: https://github.com/Huihh/problem
Are you sure the CID value is correct for your traffic? Can you share a sample capture?
The ZigBee traffic is encrypted so without the keying info there's not much to look at.
sorry,nwkKey is : 56:E3:CC:61:B2:8F:88:ED:CE:FB:04:39:AA:27:40:45
sorry, the capture is converted by uibiqua,The data is encrypted on another computer in here.
I will capture it tomorrow using wireshark.
Thank you for you reply.
Hi grahamb,
This problem may not be caused by encryption. I used wireshark to re-capture a new sample capture, it isn't work.
the files(packetNum232_0xFCC0_20200624.pcapng and packetNum232_0xFCC0_PacketInfo.pdf) has been updated to github.
If you are free, can you help me to check it?
thx
Your key worked so I can see the decrypted traffic. As I'm unfamiliar with Zigbee I'm having to work may way through the code.
I'm uncertain about the CID value being used to register in the zbee.zcl.cluster table. This is a 16 bit unsigned integer and, according to the MACRO used in the zcl dissector, is formed from the cluster id and the manufacturer code:
I can't find where the two values (mfr_code and cluster_id) come from. Another concern is that the macro shifts the mfr_code 16 bits to the left, but the table index is only 16 bits.
In the zigbee specification: If it is a standard cluster, the manufacturer code field does not appear in the data frame. If it is a manufacturer-defined cluster, the manufacturer code field will appear in the data frame.
Among them, the type of manufacturer code and CID are Uint16, and the manufacturer code and CID can specify a unique data service channel
Currently I am modifying the value of CID in the LUA dissector to 0x0000 (Basic Cluster Id of zigbee), the new dissector still does not work (Basic Cluster data on line 211 in the new sample capture still cannot be re-parsed)
Example dissection:
In the ZCL dissector, the table "index" for the sub-dissector is formed from calling the macro I listed above, e.g.
where cluster_id is (I think) generated from a previous packet and packet.mfr_code is the value displayed as the "Manufacturer Code" (in filter field zbee_zcl.cmd.mc) which in this case is 0x115f.
However, further inspection of the dissector shows that it will only call the registered sub-dissector if the Frame Type (zbee_zcl.type) is NOT a "Profile-wide" type. In your case it is, so no sub-dissector will be called. I have no idea if this is correct, but it is what is implemented. Note this is on the current master branch, your output indicates you may be running an older version.
Thank you for you reply.
Usually the Frame Type (zbee_zcl.type) isn't paid too much attention, and I need to further confirm its meaning here.
I had modified the value of CID in the LUA dissector to 0x0000 (0x0000 is Basic Cluster Id of zigbee), but the new dissector still does not work (Basic Cluster data Without Manufacture Code on line 211 in the new sample capture still cannot be re-parsed). In other words,it did not get zbee.zcl.cluster (CID = 0x0000) and replace with the new dissector.