Ask Your Question
0

Coloring Rules based on Preference

asked 2023-03-31 23:08:01 +0000

kdwalkeraz gravatar image

Hi, is there a way to use preferences that a lua disector created to modify the coloring rules.

Example: Set the port number in a preferences because the port number can change and doing this will not require to change the lua script.

myprotocol = Proto("myproto", "MyProtocol")

local pref = myprotocol.prefs pref.port = Pref.uint ("Port", 3000, "Port for this protocal")

so in the coloring rules I just have to the folowing:

(tcp.dstport == myproto.port) || (tcp.srcport == myproto.port)

so only the preferences needs to change and not the coloring rules or the lua script when the port number changes.

Thanks

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2023-04-05 15:29:24 +0000

Chuckc gravatar image

updated 2023-04-05 15:30:03 +0000

This is heavily plagiarized (stolen?) from the work of @cmaynard in Guacamole Dissector.

Coloring rule: tcp.port == myproto.ProtPort

-- 230401: Ask 31160 - Coloring Rules based on Preference
local myproto_p = Proto("myproto", "MyProtocol Protocol")

-- Default settings
local MYPROTO_TCP_PORT = 3000

-- Preferences
local myproto_settings = {
    tcp_port = MYPROTO_TCP_PORT
}

myproto_p.prefs.tcp_port = Pref.uint("TCP port", myproto_settings.tcp_port,
    "The MyProtocol TCP port number (default=" .. MYPROTO_TCP_PORT .. ")")

-------------------------------------------------------------------------
function myproto_p.prefs_changed()

    if myproto_settings.tcp_port ~= myproto_p.prefs.tcp_port then
        -- remove old one, if not 0
        if myproto_p.prefs.tcp_port ~= 0 then
            DissectorTable.get("tcp.port"):remove(myproto_settings.tcp_port, myproto_p)
        end

        -- set our new default
        myproto_settings.tcp_port = myproto_p.prefs.tcp_port

        -- add new one, if not 0
        if myproto_settings.tcp_port ~= 0 then
            DissectorTable.get("tcp.port"):add(myproto_settings.tcp_port, myproto_p)
        end
    end

end -- myproto_p.prefs_changed()

local pf = {
    msgLen = ProtoField.int32("myproto.msglength", "Msg Length", base.DEC),
    myprotoData = ProtoField.bytes("myproto.Data", "MyProtocol Data"),
    myprotoPort = ProtoField.uint32("myproto.ProtPort", "MyProtocol Proto Port",base.DEC)
}

myproto_p.fields = pf

function myproto_p.dissector(buffer, pinfo, tree)
    length = buffer:len()
    pinfo.cols.protocol = myproto_p.name
    subtree = tree:add(myproto_p)
    subtree:add(pf.myprotoPort, myproto_settings.tcp_port)
    subtree:add(pf.msgLen, length)
    if length == 0 then return end
    --do disector work here
end

local tcp_port = DissectorTable.get("tcp.port") 
tcp_port:add(myproto_settings.tcp_port, myproto_p)
edit flag offensive delete link more

Comments

Yes that look to work. I liked the pref changed function, did not know that was there. I guess I need to read the docs better. thanks

kdwalkeraz gravatar imagekdwalkeraz ( 2023-04-05 19:05:36 +0000 )edit

Wireshark's Lua API
Yes, trying to find functions in the WSDG can be tough. I put together an index last year.
220711_wslua_Index_DRAFT.pdf

Chuckc gravatar imageChuckc ( 2023-04-05 19:18:39 +0000 )edit
0

answered 2023-04-01 00:30:45 +0000

Chuckc gravatar image

updated 2023-04-01 00:31:40 +0000

Coloring rules use the syntax of display filters which don't currently support checking a preference value. That would make a pretty good Enhancement Request on the Wireshark Gitlab issues.

Until/if/when this is added, could you add another field to your protocol, copy the preference value to it and use that in the coloring rule?

The field could be hidden or maybe should be displayed in the tree and marked with treeitem:set_generated([bool]).

edit flag offensive delete link more

Comments

I have tried doing something like that but it did not make a difference.

myproto_protocol = Proto(MyProto", "MyProtocol Protocol")
local pref = myproto_protocol .prefs pref.port = Pref.uint ("Port", 3000, "Port for this protocal")
msgLen = ProtoField.int32("myproto.msglength", "Msg Length", base.DEC) myprotoData = ProtoField.bytes("myproto.Data", "MyProtocol Data") myprotoPort = ProtoField.uint32("myproto.ProtPort", "MyProtocol Proto Port",base.DEC)
myproto_protocol .fields = { msgLen, myprotoData , myprotoPort }
myprotoPort =pref.port
function myproto_protocol .dissector(buffer, pinfo, tree)
length = buffer:len()
idacvmePort=pref.port
pinfo.cols.protocol = myproto_protocol .name
if length == 0 then return end --do disector work here end
local tcp_port = DissectorTable.get("tcp.port") 
tcp_port:add(pref.port, myproto_protocol )
kdwalkeraz gravatar imagekdwalkeraz ( 2023-04-01 15:36:54 +0000 )edit

When the preference for port number is changed, you would like it redissect the packets and update the coloring?
Will there be different profiles (with different port numbers) or will it always start with the default port?

Chuckc gravatar imageChuckc ( 2023-04-01 17:38:49 +0000 )edit

The preference for port number will only change based on what pcap file we are using so restarting wireshark would not be a issue but redissecting would be ok also. Not sure about the profiles

kdwalkeraz gravatar imagekdwalkeraz ( 2023-04-03 14:08:25 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-03-31 23:08:01 +0000

Seen: 353 times

Last updated: Apr 05 '23