Ask Your Question
1

IEEE 802.3 Ethernet dissector

asked 2023-06-15 15:07:14 +0000

mosp gravatar image

Want to make a lua dissector to go from frame:ethernet:my_protocol and I'm having trouble actually getting Wireshark to apply the protocol on top of the ethernet protocol. Tried something like etherTable = DissectorTable.get("ethertype"):add(0x1234, etherProto). Usually I believe that you would put something replacing the 0x1234 with the ethernet type, but the IEEE-802.3 has src, dst, and length fields. It recognizes the protocol in Wireshark, but when trying to decode as, it results in nothing.

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
1

answered 2023-06-16 21:03:28 +0000

Guy Harris gravatar image

Usually I believe that you would put something replacing the 0x1234 with the ethernet type, but the IEEE-802.3 has src, dst, and length fields.

Originally, the IEEE standard for Ethernet different from the DEC/Intel/Xerox (D/I/X) standard by using the 2-byte field after the source address as a packet length rather than as a next-protocol type. By requiring Ethernet type values to be larger than 0x600, it was possible to determine whether a packet on an Ethernet is in D/I/X format or IEEE format. Eventually, the IEEE standard change to support both formats.

If your protocol is using "length-field" Ethernet packets, then the 14-byte destination/source/length header should be followed by an IEEE 802.2 header, which includes a one-byte Destination Service Access Point (DSAP) field, a one-byte Source Service Access Point (SSAP) field, and a one-byte or two-byte Control field. The DSAP and SSAP field are used to indicate what protocol is contained in the Ethernet frame.

If the DSAP and SSAP fields both have the value 0xAA, then the 802.2 header is followed by a Subnetwork Access Protocol (SNAP) header, which contains a 3-byte organizationally unique identifier (OUI) field and a 2-byte protocol ID field. If the OUI field has a value of 0x000000, the protocol ID field contains an Ethertype value; otherwise, it contains a value whose meaning is specified by the organization whose OUI appears in the OUI field.

802.2 and SNAP are used for link layers other than Ethernet, such as 802.5 Token Ring, FDDI, and 802.11 Wi-Fi; for those protocols, which don't (except for some Wi-Fi PHY layers) have an Ethernet type field, an OUI of 0x000000 is used for protocols such as IPv4 and IPv6. For Ethernet, this isn't necessary, so an OUI of 0x000000 is rarely used with SNAP headers.

So:

  • if your protocol uses an 802.2 header without SNAP, it presumably uses a particular DSAP value, and you can register your dissector in the "llc.dsap" dissector table, using that DSAP;
  • if your protocol uses an 802.2 header with SNAP, and the OUI is one of the OUIs for which Wireshark has support, that OUI would have a dissector table, and you can register your dissector in that dissector table, using the protocol ID value;
  • if your protocol uses an 802.2 header with SNAP, and the OUI is not one of the OUIs for which Wireshark has support, support for it would have to be added and, unfortunately, that's not currently supported in Lua.

The OUIs supported by the main branch of Wireshark are:

  • AppleTalk (0x080007), with a dissector table named "llc.apple_atalk_pid";
  • Apple AWDL (0x0017F2), with a dissector table named "llc.apple_awdl_pid";
  • Bluetooth (0x001958), with a dissector table named "llc.bluetooth_pid";
  • Cimetrics, Inc. (0x001090), with a dissector table named "llc.cimetrics_pid";
  • Cisco (0x00000C), with a dissector table named "llc.cisco_pid";
  • Extreme Networks EDP/ESRP (0x00E02B), with a dissector table named "llc.extreme_pid";
  • Force10 ...
(more)
edit flag offensive delete link more
add a comment
0

answered 2023-06-15 15:55:50 +0000

cmaynard gravatar image

but when trying to decode as, it results in nothing.

You shouldn't have to use "Decode As" if you register the Ethertype.

Here's a sample Lua script that might help?

myProtocol = Proto.new("myProtocol", "My Protocol")

-- Define protocol fields
local pf = {
    val1 = ProtoField.uint8("myProtocol.val1", "Value 1", base.DEC),
    val2 = ProtoField.uint8("myProtocol.val2", "Value 2", base.DEC)
}
myProtocol.fields = pf

function myProtocol.dissector(tvb, pinfo, tree)

    pinfo.cols.protocol = myProtocol.name

    local subtree = tree:add(myProtocol, tvb())
    subtree:add(pf.val1, tvb(0, 1))
    subtree:add(pf.val2, tvb(1, 1))

end

DissectorTable.get("ethertype"):add(0x1234, myProtocol)

If you want to test it, you can copy the following text to a file, say ask31774.txt, and then use text2pcap -F pcap ask31774.txt ask31774.pcap to convert it to a pcap file that you can then load into Wireshark to see it dissected:

0000 01 01 01 01 01 01 02 02 02 02 02 02 12 34 01 02

If this doesn't help or it's not what you're looking for, then please update your question with more details and specifics.

edit flag offensive delete link more

Comments

The problem is that I don't know the ethertype, as its not included in the ethernet format I am working with. Normally if I can't find some value, I just put some default value so that the user can change it in the decode as, as needed, but this doesn't work for this case.

mosp gravatar imagemosp ( 2023-06-15 18:14:38 +0000 )edit

In that case, you could use a preference? For example:

myProtocol = Proto.new("myProtocol", "My Protocol")

-- Preferences
local prefs = {
    etype = 0
}

myProtocol.prefs.etype = Pref.uint("Ethertype", prefs.etype, "The Ethertype")

function myProtocol.prefs_changed()
    if prefs.etype ~= myProtocol.prefs.etype then

        if (prefs.etype ~= 0) then
            DissectorTable.get("ethertype"):remove(prefs.etype, myProtocol)
        end

        prefs.etype = myProtocol.prefs.etype
        if (prefs.etype ~= 0) then
            DissectorTable.get("ethertype"):add(prefs.etype, myProtocol)
        end
    end
end

-- Define protocol fields
local pf = {
    val1 = ProtoField.uint8("myProtocol.val1", "Value 1", base.DEC),
    val2 = ProtoField.uint8("myProtocol.val2", "Value 2", base.DEC)
}
myProtocol.fields = pf

function myProtocol.dissector(tvb, pinfo, tree)

    pinfo.cols.protocol = myProtocol.name

    local subtree = tree:add(myProtocol, tvb()) --, "My Protocol")
    subtree:add(pf.val1, tvb(0, 1))
    subtree:add(pf.val2, tvb(1, 1))

end

if prefs.etype ~= 0 then
    DissectorTable.get("ethertype"):add(prefs.etype, myProtocol)
end
cmaynard gravatar imagecmaynard ( 2023-06-15 19:44:48 +0000 )edit

And "Decode As" functionality also works.

cmaynard gravatar imagecmaynard ( 2023-06-15 19:46:52 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2023-06-15 15:07:14 +0000

Seen: 455 times

Last updated: Jun 16 '23

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2