subtree:add displays "<MISSING>" value

asked 2023-11-01 17:19:58 +0000

wstrand
1 ●1

updated 2023-11-01 18:37:39 +0000

Hello,

I am attempting to write a simple Lua dissector that displays a BLE advertisement's raw payload data, nothing fancy. This raw payload data is already defined with the field: "btcommon.eir_ad.entry.data". I want to use this field instead of manually parsing the whole tvb buffer from the dissector callback function.

However, after running the script on some example vendor/manufacturer-specific advertisements, the raw payload data is returned with the value <missing>. I tried diagnosing using the console, but it seems like printing the value is working.

I am using a nRF BLE Sniffer Dongle & the related capture plugin to capture the BLE advertisements, so this is why the "btcommon.eir_ad.entry.data" field is being used, and where the data is supposed to be coming from. This may be the issue - is it possible to reference a field rather than the whole tvb buffer?

Please see the below code:

local msgData = Field.new('btcommon.eir_ad.entry.data')

local bgNotificationData = Proto('bgadv', 'Background Notification Data')

local rawMessage = ProtoField.bytes('bgadv.data')

bgNotificationData.fields =
{
    rawMessage,
}

function bgNotificationData.dissector(tvb, pinfo, tree)
    local btMsgData = msgData()

    local subtree = tree:add(bgNotificationData, btMsgData, "Message Data")
    subtree:add(rawMessage, tostring(btMsgData))
end

register_postdissector(bgNotificationData)

I have a feeling the issue is in the below line:

subtree:add(rawMessage, tostring(btMsgData))

But I can't find any info about subtree:add returning the value <missing>. tostring(btMsgData) returns the string that I am looking for... any help would be great, TIA!

edit retag flag offensive close merge delete

Comments

Sample capture with this field attached to
12103: Nordic dll dissector plugin makes Wireshark crash during startup

Chuckc ( 2023-11-02 14:58:06 +0000 )edit

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2023-11-02 15:26:00 +0000

Chuckc
3023 ●6 ●608 ●20

(I used the field processing loop from EASYPOST.lua )
To add a bytes field to the tree, specify the tvb:
11.7.1. TreeItem

11.7.1.2. treeitem:add([protofield], [tvbrange], [value], [label])

            subtree:add(rawMessage, v.tvb)

If you just to want a string displaying the value then define the field as a string not bytes.

local msgData = Field.new('btcommon.eir_ad.entry.data')

local bgNotificationData = Proto('bgadv', 'Background Notification Data')

local rawMessage = ProtoField.bytes('bgadv.data')

bgNotificationData.fields =
{
    rawMessage,
}

function bgNotificationData.dissector(tvb, pinfo, tree)
    local subtree = nil

    -- copy existing field(s) into table for processing
    finfo = { msgData() }

    if (#finfo > 0) then
        if not subtree then
            subtree = tree:add(bgNotificationData, btMsgData, "Message Data")
        end
        for k, v in pairs(finfo) do
            -- process data and add results to the tree
            subtree:add(rawMessage, v.tvb)
        end
    end
end

register_postdissector(bgNotificationData)

edit flag offensive delete link

add a comment

answered 2023-11-02 09:59:49 +0000

Babb

1 ●1 ●2

updated 2023-11-02 10:00:58 +0000

Hi,

I think your problem lies in

local subtree = tree:add(bgNotificationData, btMsgData, "Message Data")

Let me explain:

bgNotificationData is the proto

msgData is a field extractor which gets called and its actual data is then transferred into btMsgData

Now, thing is like this, when you call TreeItem:add, your 1st arg is a Proto. This means that 2nd arg is either a tvb range, or a value.

If the 2nd arg is a tvb range, then the 3rd one is the value (if given)

If the 2nd arg is not a tvb range, then it is automatically the value of the field.

In your code, since the 2nd arg is not a tvb range, but a value from the field extractor, that's actually the value of the field, rendering the 3rd argument useless.

You might want to try something like

local subtree = tree:add(bgNotificationData,tvb:range([offset],[length]),tostring(btMsgData)):append_text("Message Data")

or something similar

Then, you can

subtree:add(rawMessage,tostring(btMsgData))

edit flag offensive delete link

add a comment