USB HID dissector plugin

asked 2021-12-30 10:16:35 +0000

Aokiar gravatar image

updated 2021-12-30 14:08:45 +0000

I'm trying to use a dissector plugin from the 'openambit' open source project. The plugin is intended to dissect certain proprietary (ambit protocol) data from USB HID packets. Wireshark displays the USB traffic (captured via usbmon) so far as getting Frame, URB, HID Data, etc., but there's no output from the plugin. At startup Wireshark prints a series of errors - it is clearly unhappy, though this is supposedly working code.

To install the plugin I created a symlink at ~/.wireshark/.local/lib/wireshark/plugins/3.4/epan/ambit.so pointing to the locally built Openambit wireshark-dissector binary, and this is listed as a dissector under Help -> About Wireshark -> Plugins.

The code departs from that given in the Wireshark Developer's Guide, and is commented apparently acknowledging this. As I understand it, create_dissector_handle() should be called by proto_reg_handoff_ambit(), but instead register_dissector() is called by proto_register_ambit() which then also calls out to proto_reg_handoff_ambit(). I've tried rearranging the code to match the Wireshark Developer's Guide, but there is still no output from the plugin. If I remove the callout to proto_reg_handoff_ambit() then, as far as I can tell (printf debugging), it is never called.

This is all under Debian GNU/Linux 11 (bullseye), with the Debian packaged Wireshark 3.4.10 (3.4.10-0+deb11u1). Openambit is built from latest github sources (rev. edfde58). The plugin has clearly worked for others and one thought is that maybe it's only tested under MS Windows (the project documentation isn't explicit about this), if that would make a difference.

Excerpt from ambit-dissector.c (rev. 4f9ba59):

void proto_register_ambit(void)
{
    static hf_register_info hf[] = {
        /* ... */
    };

    static gint *ett[] = {
        /* ... */
    };

    proto_ambit = proto_register_protocol (
        "Suunto Ambit USB Protocol",
        "Ambit",
        "ambit"
        );

    proto_register_field_array(proto_ambit, hf, array_length(hf));
    proto_register_subtree_array(ett, array_length(ett));
    ambit_handle = register_dissector("ambit", dissect_ambit, proto_ambit);

    // Function not called by the API, why ???
    proto_reg_handoff_ambit();
}

void proto_reg_handoff_ambit(void)
{
    /* ambit_handle = find_dissector("ambit"); */
    /* ambit_handle = create_dissector_handle(dissect_ambit, proto_ambit); */
    dissector_add_uint("usb.interrupt", IF_CLASS_UNKNOWN, ambit_handle);
    dissector_add_uint("usb.interrupt", IF_CLASS_HID, ambit_handle);
}

Startup error messages and version info:

$ tshark -v

(process:123503): GLib-CRITICAL **: 22:16:43.341: g_hash_table_lookup: assertion 'hash_table != NULL' failed

(process:123503): GLib-CRITICAL **: 22:16:43.341: g_hash_table_lookup: assertion 'hash_table != NULL' failed

(process:123503): GLib-CRITICAL **: 22:16:43.341: g_hash_table_lookup: assertion 'hash_table != NULL' failed

(process:123503): GLib-CRITICAL **: 22:16:43.341: g_hash_table_insert_internal: assertion 'hash_table != NULL' failed

(process:123503): GLib-CRITICAL **: 22:16:43.341: g_hash_table_insert_internal: assertion 'hash_table != NULL' failed

<...snip...>

(process:123503): GLib-CRITICAL **: 22:16:43.344: g_hash_table_insert_internal: assertion 'hash_table != NULL' failed

(process:123503): GLib-CRITICAL **: 22:16:43.344: g_hash_table_insert_internal: assertion 'hash_table != NULL' failed

(process:123503): GLib-CRITICAL **: 22:16:43.344: g_hash_table_lookup: assertion 'hash_table != NULL' failed

(process:123503): GLib-CRITICAL **: 22:16:43.344: g_hash_table_insert_internal: assertion 'hash_table != NULL' failed

(process:123503): GLib-CRITICAL **: 22:16:43.344: g_hash_table_lookup: assertion 'hash_table != NULL' failed

(process:123503): GLib-CRITICAL **: 22:16:43.344: g_hash_table_lookup: assertion 'hash_table != NULL' failed
OOPS: dissector table "usb.interrupt" doesn't exist
Protocol being registered is "Suunto Ambit USB Protocol"

(process:123503): GLib-CRITICAL **: 22:16:43.344: g_hash_table_lookup: assertion 'hash_table != NULL' failed

(process:123503): GLib-CRITICAL ...
(more)
edit retag flag offensive close merge delete

Comments

For reasons currently unclear to me, the dissector is unable to locate the usb.interrupt dissector table in which it's attempting to register. That table is provided by the usb dissector, is it possible that your local build isn't building that? Can you check that the usb dissector is in your build and adding the required table by executing the following:

tshark -G dissector-tables | grep usb

In the output you should see something similar to:

...
usb.interrupt   USB interrupt endpoint  FT_UINT8        BASE_DEC        USB     Decode As not supported
...
grahamb gravatar imagegrahamb ( 2021-12-30 12:19:11 +0000 )edit

I've added dissector-tables output to the question. To be clear, only the plugin ambit.so is built locally. Wireshark itself is from the stock Debian package.

Aokiar gravatar imageAokiar ( 2021-12-30 13:53:43 +0000 )edit

Looking at the plugin code (especially CMakeLists,txt), it seems to be at odds with how the process is documented and used for the plugins distributed with Wireshark. The comments in the code about the call to proto_reg_handoff_ambit not being made is indicative of an "older style" plugin. I think the plugin needs some rework to bring it up to current standards, but that's a job for the ambit project maintainers. You might also suggest to them that they contribute the code to the Wireshark project where it will become "built-in" and available for all to use, and be maintained regardless of Wireshark plugin API changes.

I'm uncertain if building plugins without a locally built version of Wireshark is officially supported. I know some folks have tried, but the usual practice is to build Wireshark first to ensure a working build environment, then add 3rd party plugins.

grahamb gravatar imagegrahamb ( 2021-12-30 15:34:22 +0000 )edit