How to provide subset TVB for the subsequent dissectors in Lua?

asked 2024-08-30 07:53:15 +0000

Linxiao Yu gravatar image

updated 2024-08-30 11:36:54 +0000

Hi everyone. I'm writing the Lua dissector for some custom proxy protocol, say FOO, which uses TCP for transport. I have completed the TCP reassembly. The protocol run on FOO is simply TLS. After TCP reassembly, the FOO segments look like this (I'll try my best for illustration, since I can't post images :):

<-- FOO Header --><------- FOO Payload -------><-- FOO Header --><------- FOO Payload -------><--- ... --->

<------------------- FOO Segment 1 ------------------><------------------- FOO Segment 2 ------------------><--- ... --->

The FOO Payload is actually a TLS segment. Therefore, I tried to call TLS dissector directly:

--- Suppose the FOO Header is of length L
local tls_dissector = Dissector.get("tls")
--- Some code
tls_dissector(tvb(L):tvb(), pktinfo, tree)

However, it seems that such method does not reassemble TLS segments well. If a TLS Application Data record spans to two (or more) FOO segments, these segments except for the first one could not be dissected correctly. As a result, except for the first record, the remaining records shows no column information or mark as "Continuation Data".

Therefore, I think I should hand the FOO Payload as some new Tvb to the TLS dissector, like how TCP hands its payload to FOO dissector. I looked at Section 1.7 of README.dissector. It seems that tvb_new_subset_remaining could achieve this. I wonder whether Lua APIs provides this mechanism (I didn't find it in the Lua API Reference)?

UPDATE 1: I've upload the related Lua dissector code (you may also need to download the utils) and the testing capture to Github. Feel free to check them if you are interested.:)

Any suggestions would be appreciated! Wireshark version is Version 4.3.0 (v4.3.0rc1-256-g49164027c622).

edit retag flag offensive close merge delete

Comments

Could you handle FOO reassembly by accumulating the FOO segments in a 11.6.1. ByteArray then passing that to TLS with 11.6.1.24. bytearray:tvb(name) ?

Chuckc gravatar imageChuckc ( 2024-08-30 09:43:17 +0000 )edit

@Chuckc Thanks for your reply! It seems that accumulating data into a single bytearray needs to collect the Tvb data of several packets. I wonder how could I fetch the Tvb data in the next packets when I'm dissecting the current one. The only method I know is using pktinfo.desegment_len, but such method consumes all the successive Tvb data, including the FOO header. Since I don't know in advance how many FOO segments the TLS segment spans, the pktinfo.desegment_len seems hard to decide.:(

For bytearray:tvb(name), I don't know if I could refer the created Tvb using the argument name since the doc says little about it and only gives a simple example. Could you please explain your method with more details?

I don't know if I misunderstand your suggestion, please feel free to correct me.:)

Linxiao Yu gravatar imageLinxiao Yu ( 2024-08-30 11:32:46 +0000 )edit