Goose Packet Expert Information for "Index & Tag"
Dear Wireshark Community,
This problem is an extension of issue on the gitlab
We are trying to show detailed expert information for goose packet. We expect to see:
1) where is the error field 2) what is the error field 3) why it is treated as an error
The following picture shows an example
This is a goose packet and it is malformed because the length of the field "numDataSetEntries" is 0 (the highlight part).
The reason is correctly shown (achieved (2)).
We also want to show the absolute index of the highlight field to automate our the analysis process. I have read that tvb_raw_offset might do the job, any hint for using it?
I am also wondering if it is possible to show the tag part in our case, since I think the only error part is the length field.
Thanks for reading my question!
Best Regards,
Ke Wang
In the example above, you would like to print 0x8a (the byte before the zero length)?
What version of Wireshark is the screen shot?
Is that a custom build including the patch in the Gitlab issue?
Thanks for the reply,
the build info is:
3.7.0 (v3.7.0rc0-1455-gf43ce70fd9cc)
I only add the expert info with the code part:
--- a/epan/dissectors/packet-ber.c +++ b/epan/dissectors/packet-ber.c @@ -1864,6 +1864,15 @@ proto_tree_add_debug_text(tree, "INTEGERnew dissect_ber_integer(%s) entered impl len = remaining>0 ? remaining : 0; }
you can also see it in the link I provided above (https://gitlab.com/wireshark/wireshar...)
There is no other modfication.
Are you looking to add C code or would a Lua plugin work?
GOOSE error fields [Tag Number: 10] BER type: 0x8a BER length: 0 [Offset: 123]We are trying to add C code, but open to other options as long as it does the job. (btw, I am still studyng the code, have not read Lua plugin yet.). I really like your sample output, is it possible to display ber type in more detail, e.g. numDataSetEntries?
Kick the tires on this. If it looks promising then not a big deal to add the
typedetails.-- 220324 - ask question - display GOOSE BER errors -- https://ask.wireshark.org/question/26534/goose-packet-expert-information-for-index-tag/ -------------------------------------------------------- local goose_error_info = { version = "1.0.0", author = "Chuck Craft", description = "Display BER encoding errors", } set_plugin_info(goose_error_info) -- we create a "protocol" for our tree local goose_error_p = Proto.new("goosePdu_Error","GOOSE error fields") local pf = { tagnum = ProtoField.uint8("goose_error.tagnum", "Tag Number", base.DEC), type = ProtoField.uint8("goose_error.type", "BER type", base.HEX), length = ProtoField.uint8("goose_error.length", "BER length"), value = ProtoField.string("goose_error.value", "BER value"), offset = ProtoField.string("goose_error.offset", "Offset"), } -- we add our fields to the protocol goose_error_p.fields = pf -- fields to grab goosePdu data from each frame goosePdu_fi = Field.new("goose.goosePdu_element") -- let's do it! function goose_error_p.dissector(tvb,pinfo,root) if goosePdu_fi() then local offset = 0 local tagnum while offset < goosePdu_fi().len ...(more)Thanks! I really appreciated for your help!
It is Lua plugin right? I will study it!
Yes - save it with a
.luaextension in thepersonal plugins directory. (B.4. Plugin folders)Chapter 10. Lua Support in Wireshark
Many thanks for your kindly help!!
I will try it!