How to Grab Packets for a Lua Dissector Using Part of a Field

asked 2023-08-10 19:57:56 +0000

I'm able to filter in wireshark for the BLE packets I'm looking for using "btcommon.eir_ad.entry.custom_uuid_128 contains" followed by the part of the custom UUID that identifies the packets I'm looking for. I'm trying to create a Lua Dissector to parse those packets. I believe I should be using:

BLE_table = DissectorTable.get("btcommon.eir_ad.entry.custom_uuid_128")

What I can't figure out is what to use in BLE_table:add() to get the correct packets.

edit retag flag offensive close merge delete


There is no dissector table by that name. From tshark -G dissector-tables | grep btcommon, you'll only find (with master) these btcommon-related tables:

btcommon.eir_ad.entry.uuid      BT EIR/AD Service UUID  FT_STRING       BT Common       Decode As not supported
btcommon.eir_ad.manufacturer_company_id BT EIR/AD Manufacturer Company ID      FT_UINT16        BASE_HEX        BT Common       Decode As supported
btcommon.eir_ad.tds_organization_id     BT EIR/AD TDS Organization ID   FT_UINT8BASE_HEX        BT Common       Decode As supported
cmaynard gravatar imagecmaynard ( 2023-08-10 21:45:06 +0000 )edit

Do you mean these are the only ones that can be used with Lua? I've been able to use btcommon.eir_ad.entry.custom_uuid_128 as a filter in Wireshark. I can try using btcommon.eir_ad.entry.uuid, but what do I pass into BLE_table:add() when I only want to use part of the UUID to identify the packet?

fireflyXchicka gravatar imagefireflyXchicka ( 2023-08-11 17:39:29 +0000 )edit

Yes, btcommon.eir_ad.entry.custom_uuid_128 is a valid field and thus can be used as a Wireshark display filter, but it's not a a dissector table. From your use case, I don't think registering with btcommon.eir_ad.entry.uuid will work for you if you're only matching a part of the UUID. You may need to implement a Wireshark Postdissector instead, where you grab the btcommon.eir_ad.entry.custom_uuid_128 field, parse it, and only continue with your custom dissection if the portion of that field meets your criteria.

cmaynard gravatar imagecmaynard ( 2023-08-11 18:04:46 +0000 )edit

That's doable. What command would I need to just grab the btcommon.eir_ad.entry.custom_uuid_128 field?

fireflyXchicka gravatar imagefireflyXchicka ( 2023-08-11 18:08:17 +0000 )edit

You'd just use something like:

local custom_uuid_128 ="btcommon.eir_ad.entry.custom_uuid_128")

Maybe have a look at the IPv6 Postdissector I wrote as an example? See also a couple of other PostDissectors and some listed on the Examples page. And another on the Dissectors page. And another wireshark-postdissector.

The register_postdissector() is documented in section of the Wireshark Developer Guide.

NOTE: There may be another solution, but I can't think of one.

cmaynard gravatar imagecmaynard ( 2023-08-11 18:19:49 +0000 )edit