I want Wireshark to decode custom user defined packets for the CIGI protocol (this protocol is already included in a Wireshark .c file).
In other words, I want to modify an existing protocol.
Can this be done using a .lua script, if so could someone give me a simple example?
The way to make this work is to change the CIGI C dissector to have the packet ID type be a dissector table, and then your Lua dissector could register a particular packet ID number in the locally defined range to a table value.
That's a reasonable enhancement for the dissector,but it would be a lot easier for someone else to implement with a sample file. If you can provide a sample, file an enhancement request at the GitLab project page for Wireshark.
Please see the following MR which implements a dissector table in the CIGI 3 dissector which will allow you to register a Lua function to one of user defined entries: https://gitlab.com/wireshark/wireshar...
THERE IS NO ERROR CHECKING in this. Buyer beware!!!
There are a few more fields to be done.
With the existing sample capture being mostly "0" and the ff failed flag it's hard to test the field results in the tree.
Should Beacon Type be a int8 since valid value includes -1?
Frame 814: 104 bytes on wire (832 bits), 104 bytes captured (832 bits) on interface \Device\NPF_Loopback, id 0
Null/Loopback
Internet Protocol Version 4, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
User Datagram Protocol, Src Port: 1035, Dst Port: 1034
Common Image Generator Interface (3), 127.0.0.1 => 127.0.0.1 (72 bytes)
IG Control (24 bytes)
User-Defined Data (48 bytes)
Packet ID: User-Defined Data (201)
Packet Size (bytes): 48
Data: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000
CIGI Data Protocol
Instance ID: 0
Mode: 0
Mode Secondary: 0
Autostabilization: 0
Autotilt: 0
Gain (dBs): 0
Gain Secondary (dBs): 0
Scan Range (meters): 0
Beacon Type: 255
CIGI data: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000
-- cigidata.lua
-- https://ask.wireshark.org/question/35173/how-to-add-cigis-user-defined-packet-at-wireshark-using-lua-script/
-- Replace occurrences of "easypost/EASYPOST" with protocol/dissector name.
-- Grab and format fields as needed
-- Step 1 - document as you go. See header above and set_plugin_info().
local cigidata_info =
{
version = "1.0.0",
author = "Good Coder",
description = "CIGI data",
repository = "Floppy in top drawer"
}
set_plugin_info(cigidata_info)
-- Step 2 - create a protocol to attach new fields to
local cigidata_p = Proto.new("cigidata","CIGI Data Protocol")
-- Step 3 - add some field(s) to Step 2 protocol
local pf = {
instance_id = ProtoField.uint16( "cigidata.instance_id", "Instance ID"),
mode = ProtoField.uint8( "cigidata.mode", "Mode"),
mode_secondary = ProtoField.uint8( "cigidata.mode_secondary", "Mode Secondary"),
autostabilization = ProtoField.uint8( "cigidata.autostabilization", "Autostabilization"),
autotilt = ProtoField.uint8( "cigidata.autotilt", "Autotilt"),
gain = ProtoField.float( "cigidata.gain", "Gain (dBs)"),
gain_secondary = ProtoField.float( "cigidata.gain_secondary", "Gain Secondary (dBs)"),
scan_range = ProtoField.float( "cigidata.scan_range", "Scan Range (meters)"),
beacon_type = ProtoField.uint8( "cigidata.beacon_type", "Beacon Type"),
payload = ProtoField.bytes( "cigidata.payload", "CIGI data")
}
cigidata_p.fields = pf
-- Step 4 - create a Field extractor to copy packet field data.
cigidata_payload_f = Field.new("cigi.data")
-- Step 5 - create the postdissector function that will run on each frame/packet
function cigidata_p.dissector(tvb,pinfo,tree)
local subtree = nil
-- copy existing field(s) into table for processing
finfo = { cigidata_payload_f() }
if (#finfo > 0) then
if not subtree then
subtree = tree:add(cigidata_p)
end
for k, v in pairs(finfo) do
-- process data and add results to the tree
-- local field_data = string.format("%s", v):upper()
subtree:add(pf.instance_id, v.range(0,2))
subtree:add(pf.mode, v.range(2,1))
subtree:add(pf.mode_secondary, v.range(3,1))
subtree:add(pf.autostabilization,v.range(4,1))
subtree:add(pf.autotilt, v.range(5,1))
subtree:add(pf.gain, v.range(6,4))
subtree:add(pf.gain_secondary, v.range(10,4))
subtree:add(pf.scan_range, v.range(14,4))
subtree:add(pf.beacon_type, v.range(42,1))
subtree:add(pf.payload, v.range)
end
end
end
-- Step 6 - register the new protocol as ...This information is very useful. The thing is that there can be several custom commands (this example is only for 201, but there could be 202, 203.... each with its own fields) and I would have to dissect one or the other depending on the packet id.
How can I change the fields depending on the packet id?
As mentioned in another answer, the C dissector for CIGI needs to be changed in order to register a dissector table for packet ids. Probably multiple tables to handle CIGI 2, 3, and 4 separately.
It would be easier with the change @johnthacker mentioned.
Until then more lua code (see Duct tape and baling wire: Extending Wireshark with Lua”) could grab the cigi.packet_id field and align it with the multiple cigi.data fields and branch accordingly.
More sample captures than contain these different data formats would help.
It's not possible to extend an existing protocol (LUA script - Add a new Field in the Default TCP Dissector).
The sample captures on the Wireshark wiki Common Image Generator Interface (CIGI) page don't include any user defined fields.
Is the data available in cigi.data?
You could write a post-dissector (see EASYPOST.lua in the wiki lua examples) and create a new protocol that would show up underneath CIGI in the packet details.
Frame 639: 494 bytes on wire (3952 bits), 494 bytes captured (3952 bits)
Ethernet II, Src: SuperMicroCo_25:44:4a (00:30:48:25:44:4a), Dst: Dell_8b:38:31 (00:06:5b:8b:38:31)
Internet Protocol Version 4, Src: 130.38.180.250 (130.38.180.250), Dst: 130.38.180.254 (130.38.180.254)
User Datagram Protocol, Src Port: 32775, Dst Port: 8004
Common Image Generator Interface (2), 130.38.180.250 => 130.38.180.254 (452 bytes)
Important EASYPOST Protocol
CIGI packages have an identifier so that the data they contain can be derived. However, there are reserved identifiers so that the user can define their own packets with their own custom data. These are the ones I would like to be able to see in Wireshark for debugging purposes. Is it possible to display the selected data user-friendly way using post-dissector?
Yes but ...
the screen shot shows that the data is available in field cigi.data.
It gets difficult if a frame can contain multiple user defined CIGI data packets and then if they could/would be different packet IDs that would need to be dissected differently.
Can you provide a sample capture to look at?
Specification PDFs: https://cigi.sourceforge.io/specifica...
Version 2 explicitly states multiple instances possible:
There may or may not be multiple instances of this data packet per frame depending on its intended use.
Version 3 makes no mention but probably should be handled for in the code.
This is a capture: https://drive.google.com/file/d/1f4ca...
This is custom command structure: https://drive.google.com/file/d/1KuIV...
Asked: 2024-07-22 15:15:05 +0000
Seen: 156 times
Last updated: Jul 24