How can I write a dissector for a part of the LLDP payload in Lua ?

asked 2022-05-05 12:25:40 +0000

updated 2022-05-05 13:24:08 +0000

I want to write a dissector for the "Unknown Subtype Content" (see captured text outout below).

Frame 3: 118 bytes on wire (944 bits), 118 bytes captured (944 bits) on interface ...
Ethernet II, Src: Private_7a:b3:ca (10:00:00:7a:b3:ca), Dst: LLDP_Multicast (01:80:c2:00:00:0e)
Link Layer Discovery Protocol
    Chassis Subtype = MAC address, Id: ...
    Port Subtype = Port component, Id: ...
    Time To Live = 65535 sec
    CompanyXYZ - Unknown (1)
        1111 111. .... .... = TLV Type: Organization Specific (127)
        .... ...0 0100 0101 = TLV Length: 69
        Organization Unique Code: 11:22:33 
        Unknown Subtype: 1
        Unknown Subtype Content: 01000000426f6d626172646965722054434d530000000000000000000000000000000000…
    End of LLDPDU

The data that I want to analyse is part of the ethernet payload (not UDP or TCP) I don´t know of any port number for it. I understood, that I have to write a heuristic dissector for it. I tried the following:

ttdp = Proto("TTDP",  "Train Top Protocol")

function ttdp.dissector (buf, pkt, root)
  print("ttpd.dissector was called.")

local function heuristic_checker(buffer, pinfo, tree)
  print("dummy ttdp heuristic_checker() called")
  -- do some checks before returning true !!!
  return true

ttdp:register_heuristic("ethernet", heuristic_checker)

But I got the error message "there is no heuristic list for 'ethernet' ". How can I hook on my dissector to the existing ethernet/lldp dissector ?

answered 2022-05-05 15:42:51 +0000

If you just want to process the data without exploring heuristic dissectors, try a post-dissector.
There is a sample capture attached to Issue 16227 - LLDP: Add ONOS TLV (and ethernet types)

Train Top Protocol
    ttdp data: 00:00:01:6e:97:7f:f7:ac
    ttdp data: 2d:58:32:97:0b:a8:e8:72:9d:6d:b6:d9:49:c1:04:38:d7:70:97:e5:b3:3d:15:fa:bf:33:5c:00:5c:70:67:77

-- TTDP.lua
-- Grab and format fields as needed

-- Step 1 - document as you go. See header above and set_plugin_info().
local ttdp_info =
    version = "1.0.0",
    author = "Chuck Craft",
    description = "Print lldp.unknown_subtype.content",


-- Step 2 - create a protocol to attach new fields to
local ttdp_p ="ttdp","Train Top Protocol")

-- Step 3 - add some field(s) to Step 2 protocol
local pf = { payload = ProtoField.string("ttdp.payload", "ttdp data") }

ttdp_p.fields = pf

-- Step 4 - grab existing field(s) for processing
ttdp_payload_f ="lldp.unknown_subtype.content")

-- Step 5 - create the postdissector function that will run on each frame/packet
function ttdp_p.dissector(tvb,pinfo,root)
    local tree = nil

    finfo = { ttdp_payload_f() }

    if (#finfo > 0) then
        if not tree then
            tree = root:add(ttdp_p)
        for k, v in pairs(finfo) do
            local field_data = string.format("%s", v)
            tree:add(pf.payload, field_data)

-- Step 6 - register the new protocol as a postdissector

This seems to be a good approach to my problem. Thank you.

DB_Sys gravatar imageDB_Sys ( 2022-05-06 11:54:32 +0000 )edit

answered 2022-05-05 13:49:56 +0000

You can register for the OUI and work your way up from there. The table is lldp.orgtlv.oui

Hello Jaap,

thank you for your quick answer.

How can I register my heuristic dissector for lldp.orgtlv.oui ? If I do ttdp:register_heuristic("lldp.orgtlv.oui", heuristic_checker) I get the same error. I don´t think I got your point.

DB_Sys gravatar imageDB_Sys ( 2022-05-05 15:00:27 +0000 )edit

It's not a heuristic table:

tshark -G dissector-tables | grep "lldp"
lldp.orgtlv.oui LLDP OUI        FT_UINT24       BASE_HEX        LLDP    Decode As not supported

I think you want something like so:

local lldp_orgtlv_oui_table = DissectorTable.get("lldp.orgtlv.oui")
lldp_orgtlv_oui_table:add(0x112233, ttdp)

Ref 11.6.2. DissectorTable

Ref 11.6.2. DissectorTable

cmaynard ( 2022-05-05 15:38:11 +0000 )

Great ! This worked. Unfortunately, "lldp.orgtlv.oui" is the only dissector table for lldp. I need to dissect another lldp frame with the payload in another TLV.

DB_Sys gravatar imageDB_Sys ( 2022-05-06 12:02:14 +0000 )edit

This is the only extension mechanism the protocol allows for. If you have non-standard TLVs added to the packets certain endpoints may not accept these.

Jaap gravatar imageJaap ( 2022-05-06 13:02:57 +0000 )edit

