How can I write a dissector for a part of the LLDP payload in Lua ?

asked 2022-05-05 12:25:40 +0000

DB_Sys
1 ●1 ●1 ●1

updated 2022-05-05 13:24:08 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23835 ●4 ●973 ●227 https://www.wireshark.org

I want to write a dissector for the "Unknown Subtype Content" (see captured text outout below).

Frame 3: 118 bytes on wire (944 bits), 118 bytes captured (944 bits) on interface ...
Ethernet II, Src: Private_7a:b3:ca (10:00:00:7a:b3:ca), Dst: LLDP_Multicast (01:80:c2:00:00:0e)
Link Layer Discovery Protocol
    Chassis Subtype = MAC address, Id: ...
    Port Subtype = Port component, Id: ...
    Time To Live = 65535 sec
    CompanyXYZ - Unknown (1)
        1111 111. .... .... = TLV Type: Organization Specific (127)
        .... ...0 0100 0101 = TLV Length: 69
        Organization Unique Code: 11:22:33 
        Unknown Subtype: 1
        Unknown Subtype Content: 01000000426f6d626172646965722054434d530000000000000000000000000000000000…
    End of LLDPDU

The data that I want to analyse is part of the ethernet payload (not UDP or TCP) I don´t know of any port number for it. I understood, that I have to write a heuristic dissector for it. I tried the following:

ttdp = Proto("TTDP",  "Train Top Protocol")

function ttdp.dissector (buf, pkt, root)
  print("ttpd.dissector was called.")
end

local function heuristic_checker(buffer, pinfo, tree)
  print("dummy ttdp heuristic_checker() called")
  -- do some checks before returning true !!!
  return true
end

ttdp:register_heuristic("ethernet", heuristic_checker)

But I got the error message "there is no heuristic list for 'ethernet' ". How can I hook on my dissector to the existing ethernet/lldp dissector ?

edit retag flag offensive close merge delete

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2022-05-05 15:42:51 +0000

Chuckc
3023 ●6 ●608 ●20

If you just want to process the data without exploring heuristic dissectors, try a post-dissector.
There is a sample capture attached to Issue 16227 - LLDP: Add ONOS TLV (and ethernet types)

Train Top Protocol
    ttdp data: 00:00:01:6e:97:7f:f7:ac
    ttdp data: 2d:58:32:97:0b:a8:e8:72:9d:6d:b6:d9:49:c1:04:38:d7:70:97:e5:b3:3d:15:fa:bf:33:5c:00:5c:70:67:77

-- TTDP.lua
-- https://ask.wireshark.org/question/27062/how-can-i-write-a-dissector-for-a-part-of-the-lldp-payload-in-lua/
-- Grab and format fields as needed

-- Step 1 - document as you go. See header above and set_plugin_info().
local ttdp_info =
{
    version = "1.0.0",
    author = "Chuck Craft",
    description = "Print lldp.unknown_subtype.content",
}

set_plugin_info(ttdp_info)

-- Step 2 - create a protocol to attach new fields to
local ttdp_p = Proto.new("ttdp","Train Top Protocol")

-- Step 3 - add some field(s) to Step 2 protocol
local pf = { payload = ProtoField.string("ttdp.payload", "ttdp data") }

ttdp_p.fields = pf

-- Step 4 - grab existing field(s) for processing
ttdp_payload_f = Field.new("lldp.unknown_subtype.content")

-- Step 5 - create the postdissector function that will run on each frame/packet
function ttdp_p.dissector(tvb,pinfo,root)
    local tree = nil

    finfo = { ttdp_payload_f() }

    if (#finfo > 0) then
        if not tree then
            tree = root:add(ttdp_p)
        end
        for k, v in pairs(finfo) do
            local field_data = string.format("%s", v)
            tree:add(pf.payload, field_data)
        end
    end
end

-- Step 6 - register the new protocol as a postdissector
register_postdissector(ttdp_p)

edit flag offensive delete link

Comments

This seems to be a good approach to my problem. Thank you.

DB_Sys ( 2022-05-06 11:54:32 +0000 )edit

add a comment

answered 2022-05-05 13:49:56 +0000

Jaap

13742 ●711 ●115

You can register for the OUI and work your way up from there. The table is lldp.orgtlv.oui

edit flag offensive delete link

Comments

Hello Jaap,

thank you for your quick answer.

How can I register my heuristic dissector for lldp.orgtlv.oui ? If I do ttdp:register_heuristic("lldp.orgtlv.oui", heuristic_checker) I get the same error. I don´t think I got your point.

DB_Sys ( 2022-05-05 15:00:27 +0000 )edit

It's not a heuristic table:

tshark -G dissector-tables | grep "lldp"
lldp.orgtlv.oui LLDP OUI        FT_UINT24       BASE_HEX        LLDP    Decode As not supported

I think you want something like so:

local lldp_orgtlv_oui_table = DissectorTable.get("lldp.orgtlv.oui")
lldp_orgtlv_oui_table:add(0x112233, ttdp)

Ref 11.6.2. DissectorTable

cmaynard ( 2022-05-05 15:38:11 +0000 )edit

Great ! This worked. Unfortunately, "lldp.orgtlv.oui" is the only dissector table for lldp. I need to dissect another lldp frame with the payload in another TLV.

DB_Sys ( 2022-05-06 12:02:14 +0000 )edit

This is the only extension mechanism the protocol allows for. If you have non-standard TLVs added to the packets certain endpoints may not accept these.

Jaap ( 2022-05-06 13:02:57 +0000 )edit

add a comment