Goose Packet Expert Information for "Index & Tag"

asked 2022-03-24 17:11:05 +0000

Ke gravatar image

updated 2022-04-01 05:15:19 +0000

Dear Wireshark Community,

This problem is an extension of issue on the gitlab

We are trying to show detailed expert information for goose packet. We expect to see:

1) where is the error field 2) what is the error field 3) why it is treated as an error

The following picture shows an example

Imgur

This is a goose packet and it is malformed because the length of the field "numDataSetEntries" is 0 (the highlight part).

The reason is correctly shown (achieved (2)).

We also want to show the absolute index of the highlight field to automate our the analysis process. I have read that tvb_raw_offset might do the job, any hint for using it?

I am also wondering if it is possible to show the tag part in our case, since I think the only error part is the length field.

Thanks for reading my question!

Best Regards,

Ke Wang

edit retag flag offensive close merge delete

Comments

In the example above, you would like to print 0x8a (the byte before the zero length)?
What version of Wireshark is the screen shot?
Is that a custom build including the patch in the Gitlab issue?

Chuckc gravatar imageChuckc ( 2022-03-24 18:22:24 +0000 )edit

Thanks for the reply,

the build info is:

3.7.0 (v3.7.0rc0-1455-gf43ce70fd9cc)

I only add the expert info with the code part:

--- a/epan/dissectors/packet-ber.c +++ b/epan/dissectors/packet-ber.c @@ -1864,6 +1864,15 @@ proto_tree_add_debug_text(tree, "INTEGERnew dissect_ber_integer(%s) entered impl len = remaining>0 ? remaining : 0; }

  • if (len == 0) {
  • actx->created_item = NULL;
  • proto_tree_add_expert_format(
  • tree, actx->pinfo, &ei_ber_error_length, tvb, offset - len, 1,
  • "BER Error: Can't handle integer length: %u, index %i",
  • len, offset);
  • return offset;
  • } +

you can also see it in the link I provided above (https://gitlab.com/wireshark/wireshar...)

There is no other modfication.

Ke gravatar imageKe ( 2022-03-24 22:36:51 +0000 )edit

Are you looking to add C code or would a Lua plugin work?

GOOSE error fields
    [Tag Number: 10]
    BER type: 0x8a
    BER length: 0
    [Offset: 123]
Chuckc gravatar imageChuckc ( 2022-03-24 23:40:22 +0000 )edit

We are trying to add C code, but open to other options as long as it does the job. (btw, I am still studyng the code, have not read Lua plugin yet.). I really like your sample output, is it possible to display ber type in more detail, e.g. numDataSetEntries?

Ke gravatar imageKe ( 2022-03-24 23:44:09 +0000 )edit

Kick the tires on this. If it looks promising then not a big deal to add the type details.

-- 220324 - ask question - display GOOSE BER errors
-- https://ask.wireshark.org/question/26534/goose-packet-expert-information-for-index-tag/
--------------------------------------------------------

local goose_error_info =
{
    version = "1.0.0",
    author = "Chuck Craft",
    description = "Display BER encoding errors",
}

set_plugin_info(goose_error_info)

-- we create a "protocol" for our tree
local goose_error_p = Proto.new("goosePdu_Error","GOOSE error fields")

local pf = {
    tagnum = ProtoField.uint8("goose_error.tagnum", "Tag Number", base.DEC),
    type = ProtoField.uint8("goose_error.type", "BER type", base.HEX),
    length = ProtoField.uint8("goose_error.length", "BER length"),
    value = ProtoField.string("goose_error.value", "BER value"),
    offset = ProtoField.string("goose_error.offset", "Offset"),
}

-- we add our fields to the protocol
goose_error_p.fields = pf

-- fields to grab goosePdu data from each frame
goosePdu_fi = Field.new("goose.goosePdu_element")

-- let's do it!
function goose_error_p.dissector(tvb,pinfo,root)

    if goosePdu_fi() then
        local offset = 0
        local tagnum

        while offset < goosePdu_fi().len ...
(more)
Chuckc gravatar imageChuckc ( 2022-03-25 02:16:51 +0000 )edit
see more comments