Replace 802.11 dissector with custom lua dissector

asked 2021-05-10 13:10:00 +0000

techge gravatar image

I´d like to use a custom 802.11 dissector for a proprietary network protocol that I have analysed (at least in part so far), but I just can't manage to integrate it into wireshark.

The lua dissector is loaded during start, if something goes wrong, wireshark is complaining about stuff and it appears in the protocol overview, but is not applied to my pcaps, even if I disable the ieee80211 protocol in the list.

For now I think, I am not adding it correctly to the upper layer/dissector table, because even:

DissectorTable.get("wtap_encap"):remove_all(Dissector.get("wlan"))

does not change anything. I tried a lot with different dissectors because I am not sure, what dissector the standard 802.11 proto dissector is actually applied to. What I really want to do is something like

DissectorTable.get("wtap_encap"):set(20, mydissector)

Or anything else that let me use my dissector beginning at the frame control field. What I am doing fundamentally wrong that none of my attempts to either replace, add or remove the 802.11 does not work?

edit retag flag offensive close merge delete

Comments

I´d like to use a custom 802.11 dissector for a proprietary network protocol

So that protocol runs atop the 802.11 physical layer, but uses a completely different link layer, so it doesn't begin with a 2-byte Frame Control field, followed by a 2-byte Duration/ID field, followed by a 6-byte Address 1 field, etc.?

Guy Harris gravatar imageGuy Harris ( 2021-05-11 00:30:14 +0000 )edit

So that protocol runs atop the 802.11 physical layer, but uses a completely different link layer, so it doesn't begin with a 2-byte Frame Control field, followed by a 2-byte Duration/ID field, followed by a 6-byte Address 1 field, etc.?

No, it doesn't, but my dissector is semi-automatically created and already includes information about the said fields, therefore I would like to attach it directly after the 802.11 radio frame, although you would normally add it do the existing 802.11 dissector, if you would do it manually (these are custom extension field frames). In fact I might do this in the future, but for now I am looking for a way to use and test this dissector as is, to evaluate the whole approach.

techge gravatar imagetechge ( 2021-05-11 11:30:04 +0000 )edit

No, it doesn't, but my dissector is semi-automatically created and already includes information about the said fields,

Why does it do so? Perhaps either 1) the automatic part of the process should be changed not to do so or 2) the manual part of the process should be changed not to do so. I'd evaluate an approach that dissects a protocol running on top of X by doing its own dissection of X itself, when X is already dissected by Wireshark, as a poor approach to dissecting that protocol.

Guy Harris gravatar imageGuy Harris ( 2021-05-11 18:34:01 +0000 )edit