Ask Your Question
0

wireshark lua for a new ethernet header

asked 2020-10-26 09:12:27 +0000

jibwf gravatar image

updated 2020-10-26 09:41:16 +0000

grahamb gravatar image

I want to use wireshark to strip or recognize a new ethernet header.

The whole packets like: Ethernet II header(type 0xf001)+new private header(10 bytes)+normal ethernet type like 0x0800 or 0x0806+data

Here is my lua, my problem is wireshark cannot go ahead process normal ethernet type.

f2_shim = Proto ("f2_shim","Cisco F2 shim header")
index = ProtoField.uint16("Index","f2_shim.index",base.HEX)
data =  ProtoField.uint64("Data","f2_shim.data",base.HEX)
f2_shim.fields = {index, data}

function f2_shim.dissector(buffer,pinfo,tree)
        pinfo.cols.protocol = "f2_shim"
        local subtree = tree:add(f2_shim,buffer(),"f2_shim Header")
        subtree:add(index,buffer:range(0,2))
        subtree:add(buffer(2,8),"data1: " .. buffer(2,8):uint64())
        Dissector.get("ethertype"):call(buffer:range(10):tvb(),pinfo,tree)
end

ether_table = DissectorTable.get("ethertype")
ether_table:add(0xf001,f2_shim)
edit retag flag offensive close merge delete

Comments

Your problem description is unclear, please elaborate.

Jaap gravatar imageJaap ( 2020-10-26 10:25:30 +0000 )edit

Thanks for look at this.

Device add a 12 byte header after Eth SRC MAC.

Ethernet II header(new type 0xf001, 2 bytes)+new private header(10 bytes)+normal ethernet type like 0x0800 or 0x0806+data

0000   00 00 0c 07 ac 53 00 50 56 9f 3f 20 f0 01 10 00

//"f0 01" is new ethernet type

0010   19 00 00 24 00 83 00 03 08 00 45 00 00 34 5a fb

//"19 00 00 24 00 83 00 03"

Do not care this, then we can see normal ethernet type 0800

0020   40 00 80 06 33 c0 4c 60 40 6d 3a f6 a4 45 e3 86   
0030   55 2d 8c 9c 2d 20 00 00 00 00 80 02 20 00 f0 96
0040   00 00 02 04 05 b4 01 03 03 08 01 01 04 02
jibwf gravatar imagejibwf ( 2020-10-26 10:33:23 +0000 )edit

You again describe what you have, but don't describe the problem. What is happening? What is the current output? And what are you expecting? Up 'til now the problem description comes down to 'it doesn't work'. That's unclear, please elaborate _on the problem_.

Jaap gravatar imageJaap ( 2020-10-26 14:37:04 +0000 )edit

There needs to be some setup done before ethertype is called.
That is normally done in packet-eth which has three dissectors:

  eth_withoutfcs_handle = register_dissector("eth_withoutfcs", dissect_eth_withoutfcs, proto_eth);
  register_dissector("eth_withfcs", dissect_eth_withfcs, proto_eth);
  eth_maybefcs_handle = register_dissector("eth_maybefcs", dissect_eth_maybefcs, proto_eth);
<br>

eth is expecting the MAC addresses before the ethertype field.
The example below works but probably can be done cleaner.

f2_shim = Proto ("f2_shim","Cisco F2 shim header")
index = ProtoField.uint16("Index","f2_shim.index",base.HEX)
data =  ProtoField.uint64("Data","f2_shim.data",base.HEX)
f2_shim.fields = {index, data}

function f2_shim.dissector(buffer,pinfo,tree)
    local b1 = ByteArray.new("000102aabbcb000102ddeeff")
    pinfo.cols.protocol = "f2_shim"
    local subtree = tree:add(f2_shim,buffer(),"f2_shim Header")
--     subtree:add(index,buffer:range(0,2))
    subtree:add(buffer(2,8),"data1: " .. buffer(2,8):uint64())
    b1:append(buffer:bytes(10))
    Dissector.get("eth_maybefcs"):call(ByteArray.tvb(b1),pinfo,tree)
end

ether_table = DissectorTable.get("ethertype")
ether_table:add(0xf001,f2_shim)
Chuckc gravatar imageChuckc ( 2020-10-26 16:29:12 +0000 )edit

Pieces above are not a complete answer but maybe give a direction.

Chuckc gravatar imageChuckc ( 2020-10-26 16:32:11 +0000 )edit
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2020-10-27 05:06:28 +0000

jibwf gravatar image

@Chuckc is right. eth is expecting the MAC addresses before the ethertype field.

I have changed my lua here, it is imprecise, but enough for my requirement.

f2_shim = Proto ("f2_shim","Cisco F2 shim header")
index = ProtoField.uint16("Index","f2_shim.index",base.HEX)
data =  ProtoField.uint64("Data","f2_shim.data",base.HEX)
type = ProtoField.uint16("Type","f2_shim.type",base.HEX)
f2_shim.fields = {index, data, type}

function f2_shim.dissector(buffer,pinfo,tree)
        pinfo.cols.protocol = "f2_shim"
        local f2_type = buffer(10,2)
        local subtree = tree:add(f2_shim,buffer(),"f2_shim Header")
        subtree:add(index,buffer:range(0,2))
        subtree:add(buffer(2,8),"data1: " .. buffer(2,8):uint64())
        subtree:add(type,buffer:range(10,2))
        if (f2_type:uint() == 0x0800) then
            Dissector.get("ip"):call(buffer(12):tvb(), pinfo, tree)
        elseif (f2_type:uint() == 0x0806) then
            Dissector.get("arp"):call(buffer(12):tvb(), pinfo, tree)
        end
end

ether_table = DissectorTable.get("ethertype")
ether_table:add(0xf001,f2_shim)
edit flag offensive delete link more
add a comment
0

answered 2020-10-26 19:58:02 +0000

cmaynard gravatar image

updated 2020-10-26 20:07:51 +0000

The problem seems to be that packet-ethertype.c:dissect_ethertype() expects to be passed a pointer to an ethertype_data_t. Since there appears to be no way to pass this data to the dissector from a Lua dissector, dissect_ethertype() rejects it since the data is NULL.

I don't know any way around this problem except to open a bug report and see if someone can add support for this, or to rewrite the f2 shim as a built-in C dissector and ideally submit it for inclusion into Wireshark.

(Incidentally, the comment for dissect_ethertype() is wrong and should be fixed.)

So in theory, the f2 shim Lua dissector would look something more like so:

f2_shim = Proto ("f2_shim", "Cisco F2 shim header")
index = ProtoField.uint16("f2_shim.index", "Index", base.HEX)
data =  ProtoField.uint64("f2_shim.data", "Data", base.HEX)
f2_shim.fields = {index, data}

function f2_shim.dissector(buffer, pinfo, tree)
        local etype_data = nil -- The "magic" piece we can't use from Lua

        pinfo.cols.protocol = "f2_shim"
        local subtree = tree:add(f2_shim, buffer(0, 10))
        subtree:add(index, buffer:range(0, 2))
        subtree:add(data, buffer:range(2, 8))
        --[[
            In theory, we'd initialize and pass a pointer to etype_data,
            consisting of:
                etype
                payload_offset
                fh_tree
                trailer_fd
                fcs_len
         --]]
        Dissector.get("ethertype"):call(buffer:range(10):tvb(), pinfo, tree, etype_data)
end

ether_table = DissectorTable.get("ethertype")
ether_table:add(0xf001, f2_shim)

Lastly, since there seems to be some confusion about this f2 shim, here's some packet data that can be converted to a pcap file using text2pcap for testing, e.g., text2pcap f2_shim.txt f2_shim.pcap. It adds an f2 shim with index=1 and data=0xdeadbeefdeadbeef, at least as I understand the format and placement of the f2 shim to be. The real payload should be dissected as IP (carrying UDP), but it isn't due to the limitations described above:

0000   00 0e b6 00 00 02 00 0e b6 00 00 01 f0 01 00 01
0010   de ad be ef de ad be ef 08 00 45 00 00 37 00 00
0020   40 00 40 11 b5 ea c0 00 02 65 c0 00 02 66 82 35
0030   82 35 00 23 e8 54 53 b2 6e 9a bc de f0 c0 00 02
0040   64 20 01 0d b8 00 00 00 00 00 00 00 2f 2a 00 00
0050   01
edit flag offensive delete link more

Comments

Is it possible to invoke a tap from Lua?

Chuckc gravatar imageChuckc ( 2020-10-26 20:37:31 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-10-26 09:12:27 +0000

Seen: 1,205 times

Last updated: Oct 27 '20