Ask Your Question
0

how to get tcp reassembled length in lua

asked 2024-09-12 11:14:37 +0000

zhaoxian gravatar image

updated 2024-09-13 01:19:25 +0000

I have some out-of-order TCP packets, and when the correctly sequenced packets are received, Wireshark's TCP reassembly is able to correctly reorder this data and obtain the correct data length. However, when I try to access the reassembled TCP data in Lua using Field.new("tcp.reassembled.data"), Field.new("tcp.reassembled.length"), Field.new("tcp.segments"), etc., they always return nil. So, how can I access these fields to get the reassembled TCP data?

local log_enabled=true
local max_file_size=10 * 1024 --10M
local listen_port=514
local buf=""
local tcp_dstport=Field.new("tcp.dstport")
local tcp_srcport=Field.new("tcp.srcport")
local tcp_stream=Field.new("tcp.stream")
local tcp_len=Field.new("tcp.len")
local tcp_reassembled_len=Field.new("tcp.reassembled.length")
local tcp_segments=Field.new("tcp.segments")
local data_field = Field.new("data.data")
local function get_time()
    return os.date("%Y%m%d_%H%M%S",os.time())
end

local function get_file_path(stream_number)
    return string.format("C:\\Users\\usr\\Downloads\\Syslog_Stream_%s_%s.log", stream_number,get_time())
end
local relp_proto = Proto("RELP", "RELP Protocol")
_G.MAXSTRINGSZ = 0
-- Define fields for RELP protocol
local relp_fields = {
    syslog_records = ProtoField.string("relp.syslog_records", "Syslog Records")
}
local file
if log_enabled then
    file=io.open(get_file_path(tcp_stream),"w")
end
function log(content)
    if log_enabled then
        file:write(content)
    end
end
relp_proto.fields = relp_fields
function relp_proto.init()
    buf=""
end
function relp_proto.dissector(tvbuf, pinfo, tree)
    --if pinfo.visited ==true then 
    log("pinfo:"..pinfo.number)
    if tcp_reassembled_len()~=nil then
        log("   tcp assembled_in:"..tcp_reassembled_len().value.."\n")
    else
        log("  tcp len:"..tcp_len().value.."\n")
    end

end

tcp_table = DissectorTable.get("tcp.port")
tcp_table:add(listen_port, relp_proto)
edit retag flag offensive close merge delete

Comments

Can you share code that's not working or try this sample to see if it works:

.
-- EASYPOST.lua
-- Replace occurrences of "easypost/EASYPOST" with protocol/dissector name.
-- Grab and format fields as needed

-- Step 1 - document as you go. See header above and set_plugin_info().
local easypost_info =
{
    version = "1.0.0",
    author = "Good Coder",
    description = "Important EASYPOST stuff",
    repository = "Floppy in top drawer"
}

set_plugin_info(easypost_info)

-- Step 2 - create a protocol to attach new fields to
local easypost_p = Proto.new("easypost","Important EASYPOST Protocol")

-- Step 3 - add some field(s) to Step 2 protocol
local pf = { payload = ProtoField.string("easypost.payload", "EASYPOST data") }

easypost_p.fields = pf

-- Step 4 - create a Field extractor to copy packet field data.
easypost_payload_f = Field.new("tcp.reassembled.length")

-- Step 5 - create the postdissector function that will run on each frame/packet
function easypost_p.dissector(tvb,pinfo,tree)
    local subtree = nil

    -- copy existing field(s) into table ...
(more)
Chuckc gravatar imageChuckc ( 2024-09-12 12:38:43 +0000 )edit

Add my script.

zhaoxian gravatar imagezhaoxian ( 2024-09-13 01:17:33 +0000 )edit

I've started a RELP page on the Wireshark wiki.
There is a sample capture - 240913_RELP_syslog.pcapng.
Can you recreate the issue with that capture file so we have a common test environment?
(If it doesn't display the issue you're trying to solve can you suggest a config or test traffic so that I can update the capture)

Chuckc gravatar imageChuckc ( 2024-09-13 20:39:02 +0000 )edit

My problem is solved. When I use a DissectorTable.get("tcp.port"), it will work to get the tcp payload from the tvb passed to dissector function. However, if we use tap, then we can use tcp_data=Field.new("tcp.reassembled.data"), and then call tcp_data().range. I don't know the reason of this differential. But when I deal with these two different scenarios in this way, it indeed behaves as expected.

zhaoxian gravatar imagezhaoxian ( 2024-09-15 06:22:38 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-09-14 13:46:21 +0000

Chuckc gravatar image

Dissector (lua code) added to wiki page: Protocols/relp

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-09-12 11:14:37 +0000

Seen: 98 times

Last updated: Sep 14