Ask Your Question
0

Is it possible to attach a dissector to custom options in pcapng

asked 2023-08-02 03:32:04 +0000

abhishekes gravatar image

We have a custom protocol for which we have developed a lua based dissector. But at the time of packet capture, we also need to capture some OOB data and were considering using the custom options capability in pcapng. However, it is not clear to me if we can attach a custom dissector to an option block of the Enhanced Packet Block. Specifically, would this be possible using lua dissectors. Any pointers would be appreciated.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-08-03 06:56:06 +0000

SYN-bit gravatar image

I don't believe that is currently possible and I would not want that functionality in the pcapng file format. It opens up a large attack surface for nefarious purposes (just like macros in office documents). IMHO it should always be a manual deliberate action for someone to execute code from a third party.

So the best option would be to supply the Lua dissector separately, which might of course not be the most convenient solution.

edit flag offensive delete link more

Comments

Supplying the lua dissector separately is fine with us but so far from what we say, we are only able to attach the dissector to the packet info and not to the other blocks of data in pcapng. Wanted some examples of how we could get a hook to attach the custom dissector to the options block of epb.

abhishekes gravatar imageabhishekes ( 2023-08-03 07:11:05 +0000 )edit

Ah, I misread your question then. I now see you need a mechanism to supply non-packet data somehow to your custom dissector. Accessing custom EPBs from Lua would require Wireshark to read those blocks in the first place and AFAIK, that is not done (yet?). You could file an enhancement request for such a feature on Gitlab, but it might take a while (or not be implemented at all).

Another way of doing this is creating packets for the OOB data. In the past I have collected some SNMP values of a Loadbalancer, encoded it in the data part of ping packets that were sent to a host for which the traffic was captured.

As you seem to be able to write the custom EPG, you should also be able to add synthetic packets to the PCAPNG file (perhaps with a different interface ID) and have your Lua dissector pick ...(more)

SYN-bit gravatar imageSYN-bit ( 2023-08-03 07:45:24 +0000 )edit

@SYN-bit Ha! SNMP over ICMP - you should write an RFC for that. :-)

Chuckc gravatar imageChuckc ( 2023-08-03 11:08:22 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2023-08-02 03:32:04 +0000

Seen: 93 times

Last updated: Aug 03 '23

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2