LUA script - Add a new Field in the Default TCP Dissector

asked 2024-07-11 15:03:53 +0000

bunnis
1 ●1 ●2 ●2

updated 2024-07-11 15:04:23 +0000

Hello

I'm writing a Lua script for a Vendor device that outputs error codes in the TCP Window value of RST packets. So far I was able to successfully create my LUA script, which works fine. The only "problem" is that my value goes into a new subtree of the Packet Details Tree. I would like to add this as a new child in the TCP subtree, for example, below the Windows value itself. I have the impression that this is not possible with the LUA script, however I would like to ask the community to validate it or point me in the right direction. The following code is based on the chained dissectors code found at https://wiki.wireshark.org/Lua/Dissec... and will output the following example

image description

local ip_proto_table = DissectorTable.get("ip.proto")
-- save the original dissector so we can still get to it
local original_tcp_dissector = ip_proto_table:get_dissector(6)

-- Reset code to description table
-- Define a new protocol, but doesn't register it yet
local tcp_windows_proto = Proto("tcp_windows", "Reset Window Codes")

-- Define the fields
local pf_window = ProtoField.uint16("tcp_windows.window", "Window Size", base.DEC)
local pf_query  = ProtoField.new("Query", "tcp_windows.explain", ftypes.BYTES)
local f_custom_string = ProtoField.string("tcp_windows.custom_string", "Description of the Reset Code")

tcp_windows_proto.fields = { pf_window, pf_query, f_custom_string}


-- Dissection function
function tcp_windows_proto.dissector(buffer, pinfo, tree)
  -- Check if the packet contains TCP


local subtreeitem = tree:add(f_custom_string, "Output before")

-- we've replaced the original http dissector in the dissector table,
-- but we still want the original to run, especially because we need to read its data
original_tcp_dissector:call(buffer, pinfo, tree)


local subtreeitem = tree:add(f_custom_string, "Output after")

end


-- Register the dissector and take its place in the dissector table
ip_proto_table:add(6, tcp_windows_proto)

answered 2024-07-11 17:37:32 +0000

Chuckc
2968 ●6 ●593 ●20

There is a more recent answer here as to why not but can't find it at the moment.
Here is a past answer (LUA dissector: update treeitem in earlier packet) and the project associated with it (Github: gaddman/wireshark-tcpextend)

Do your captures have any protocols that are decoded by a TCP heuristic?
If not, you could add your dissector to the TCP heuristic table and set TCP preference to run heuristics first.

Frame 1: 88 bytes on wire (704 bits), 88 bytes captured (704 bits)
Linux cooked capture v1
Internet Protocol Version 4, Src: 192.168.0.2 (192.168.0.2), Dst: 10.130.0.2 (10.130.0.2)
Transmission Control Protocol, Src Port: 3003, Dst Port: 6689, Seq: 1, Ack: 1, Len: 32
Important EASYPOST Protocol
    EASYPOST data: ·······AP···
IPA protocol ip.access, type: RSL
Radio Signalling Link (RSL)
GSM CCCH - Immediate Assignment

-- EASYPOST.lua
-- Replace occurrences of "easypost/EASYPOST" with protocol/dissector name.
-- Grab and format fields as needed

-- Step 1 - document as you go. See header above and set_plugin_info().
local easypost_info =
{
    version = "1.0.0",
    author = "Good Coder",
    description = "Important EASYPOST stuff",
    repository = "Floppy in top drawer"
}

set_plugin_info(easypost_info)

-- Step 2 - create a protocol to attach new fields to
local easypost_p = Proto.new("easypost","Important EASYPOST Protocol")

-- Step 3 - add some field(s) to Step 2 protocol
local pf = { payload = ProtoField.string("easypost.payload", "EASYPOST data") }

easypost_p.fields = pf

-- Step 4 - create a Field extractor to copy packet field data.
easypost_payload_f = Field.new("tcp.flags.str")

-- Step 5 - create the postdissector function that will run on each frame/packet
function easypost_p.dissector(tvb,pinfo,tree)
    local subtree = nil

    print("in easypost_p")
    subtree = tree:add(easypost_p)

    -- copy existing field(s) into table for processing
    finfo = { easypost_payload_f() }

    if (#finfo > 0) then
        print("#finfo > 0")
        if not subtree then
            subtree = tree:add(easypost_p)
        end
        for k, v in pairs(finfo) do
            -- process data and add results to the tree
            local field_data = string.format("%s", v):upper()
            subtree:add(pf.payload, field_data)
        end
    end
end

-- Step 6 - register the new protocol as a heuristic
-- 240711 - https://ask.wireshark.org/question/35046/lua-script-add-a-new-field-in-the-default-tcp-dissector/
easypost_p:register_heuristic("tcp", easypost_p.dissector)

edit flag offensive delete link

Comments

Thanks for your answer, I think the way I have it at the moment suffices. Thanks for your input. I have created my script and shared for the community. I might try to fiddle with the Wireshark source code and add this as I originally wanted.

https://github.com/bunnis/Wireshark-L...

bunnis ( 2024-07-15 20:31:12 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

LUA script - Add a new Field in the Default TCP Dissector

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

LUA script - Add a new Field in the Default TCP Dissector edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

LUA script - Add a new Field in the Default TCP Dissector