Ask Your Question
0

LUA: ProtoField as tag packet ?

asked 2021-10-11 19:55:28 +0000

sezb51 gravatar image

Hello,

in my lua dissector most of the packet types do have IMSI information extracted and dissected using:

f.imsi = ProtoField.string ("s8hr.imsi", "IMSI")

There is one packet type where IMSI can only be extracted by string manipulation on the nested SIP header.

function extract_imsi(sip_user, sip_host)
  numbers = {}
  for num in string.gmatch(sip_host, "%d+") do
        numbers[#numbers + 1] = tostring(num)
  end
  local imsi = numbers[2] .. numbers[1] .. sip_user
  return imsi
end

Is it possible to bind such computed value to the ProtoField (aka tag) so that a "display filter" search "s8hr.imsi" would include such packets as well ?

Thx, A.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-10-13 06:34:38 +0000

sezb51 gravatar image

updated 2021-10-13 06:35:10 +0000

Hello,

I just realize that I can do "s8hr_tree:add (f.imsi, imsi)" and that allows to fully search for s8hr.imsi == "xxxxx" even though the packet has no real f.imsi data in the raw payload:

if (sip_user ~= nil and sip_host ~= nil) then
  local imsi = extract_imsi(sip_user, sip_host)
  s8hr_tree:add (f.imsi, imsi)
  s8hr_tree:append_text(", IMSI: " .. imsi)

Thank you, Andrea

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-10-11 19:55:28 +0000

Seen: 24 times

Last updated: Oct 13